Merge remote-tracking branch 'upstream/master'

data/exploits/cve-2018-1000001/RationalLove.c

@@ -553,7 +553,7 @@ void createStackWriteFormatString(
   formatBuffer+=result;
   bufferSize-=result;
 
-// Write the LABEL 6 more times, thus multiplying the the single
+// Write the LABEL 6 more times, thus multiplying the single
 // byte write pointer to an 8-byte aligned argv-list pointer and
 // update argv[0] to point to argv[1..n].
   writeCount=(((int)argvStackAddress)-(writeCount+56))&0xffff;

db/modules_metadata_base.json

@@ -65531,7 +65531,7 @@
       "Ron Bowes",
       "jheysel-r7"
     ],
-    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
     "references": [
       "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
       "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
@@ -65560,7 +65560,7 @@
       "PHP In-Memory",
       "Interactive SSH with jail break"
     ],
-    "mod_time": "2023-09-29 11:40:03 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
     "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
     "is_install_path": true,
     "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
@@ -73350,7 +73350,7 @@
     "description": "IPFire, a free linux based open source firewall distribution,\n          version < 2.19 Update Core 101 contains a remote command execution\n          vulnerability in the proxy.cgi page.",
     "references": [
       "EDB-39765",
-      "URL-www.ipfire.org/news/ipfire-2-19-core-update-101-released"
+      "URL-https://www.ipfire.org/news/ipfire-2-19-core-update-101-released"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -73373,7 +73373,7 @@
     "targets": [
       "Automatic Target"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-04-17 13:00:41 +0000",
     "path": "/modules/exploits/linux/http/ipfire_proxy_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/ipfire_proxy_exec",
@@ -88658,7 +88658,7 @@
       "Linux Command",
       "Unix Command"
     ],
-    "mod_time": "2023-11-07 09:21:04 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
     "path": "/modules/exploits/linux/misc/cisco_ios_xe_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/cisco_ios_xe_rce",
@@ -160094,7 +160094,7 @@
     "references": [
       "EDB-41153",
       "CVE-2017-11517",
-      "URL-www.geutebrueck.com"
+      "URL-https://www.geutebrueck.com"
     ],
     "platform": "Windows",
     "arch": "",
@@ -160110,7 +160110,7 @@
       "GCore 1.3.8.42, Windows x64 (Win7+)",
       "GCore 1.4.2.37, Windows x64 (Win7+)"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-04-17 13:00:41 +0000",
     "path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb",
     "is_install_path": true,
     "ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo",
@@ -163208,7 +163208,7 @@
     "targets": [
       "Windows Command"
     ],
-    "mod_time": "2023-05-08 12:11:01 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
     "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/http/manageengine_adaudit_plus_authenticated_rce",

docs/metasploit-framework.wiki/Creating-Metasploit-Framework-LoginScanners.md

@@ -342,7 +342,7 @@ The result object now as a `.to_h` method which returns a hash compatible with o
 
 In the case of a success we build some info hashes and call `create_credential`. This is a method found in the metasploit-credential gem under `lib/metasploit/credential/creation.rb` in a mixin called `Metasploit::Credential::Creation`. This mixin is included in the Report mixin, so if your module includes that mixin you'll get these methods for free.
 
-`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the the status. 
+`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the status. 
 
 Finally, for a success, we output the result to the console.
 

documentation/modules/auxiliary/admin/ldap/rbcd.md

@@ -160,7 +160,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
 ```
 
-Now use the RBCD module to read the the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
+Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
 
 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set USERNAME [email protected]

documentation/modules/auxiliary/dos/http/squid_range_dos.md

@@ -26,7 +26,7 @@ Security bulletin from Squid: https://github.com/squid-cache/squid/security/advi
 
 ### REQUEST_COUNT
 
-REQUEST_COUNT is both the the number of HTTP requests which are sent to the server in
+REQUEST_COUNT is both the number of HTTP requests which are sent to the server in
 order to perform the actual Denial of Service (i.e. accepted requests by the server),
 and the number of requests that are sent to confirm that the Squid host is actually
 dead.

documentation/modules/auxiliary/gather/elasticsearch_enum.md

@@ -7,7 +7,7 @@ in the cluster, indices, and pull data from those indices.
 ### Docker
 
 Docker install is quite simple, however it won't come with any data making the results rather boring.
-However, we can use the the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
+However, we can use the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
 repo to help auto populate our data.
 
 ```

documentation/modules/auxiliary/multidrop.md

@@ -64,7 +64,7 @@ Basic options:
 Description:
   This module dependent on the given filename extension creates either 
   a .lnk, .scf, .url, desktop.ini file which includes a reference to 
-  the the specified remote host, causing SMB connections to be 
+  the specified remote host, causing SMB connections to be 
   initiated from any user that views the file.
 
 References:

documentation/modules/exploit/linux/http/gravcms_exec.md

@@ -96,7 +96,7 @@ msf6 exploit(linux/http/gravcms_exec) > run
 [*] Implanting payload via scheduler feature
 [+] Scheduler successfully created ! Wait for 1 minute...
 [*] Sending stage (39282 bytes) to 172.26.240.1
-[*] Cleaning up the the scheduler...
+[*] Cleaning up the scheduler...
 [+] The scheduler config successfully cleaned up!
 [*] Meterpreter session 1 opened (172.26.253.227:4444 -> 172.26.240.1:53912) at 2021-04-11 15:32:01 +0300
 

documentation/modules/exploit/linux/local/docker_runc_escape.md

@@ -46,7 +46,7 @@ The host `runc` binary will be overwritten during exploitation. The module
 takes care of making a backup before the overwrite and restoring it when the new
 session is established. However, it might not work as expected and something
 could go wrong during the exploitation, which might prevent the session being
-created. In this case, `runc` won't be restored and the the host will no longer
+created. In this case, `runc` won't be restored and the host will no longer
 be able to run Docker containers. This process will need to be done manually
 somehow by following the instruction displayed during the module execution:
 ```

documentation/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md

@@ -25,7 +25,7 @@ Once installed pfSense will start and you can access the web GUI by navigating t
 Sign into the application with username: `admin` password: `pfsense`
 
 Now at the top of the screen select System -> Advanced. Scroll down to the section named Secure Shell and tick the box
-beside `Enable Secure Shell`. Then click the `Save` button at the the bottom of the page to apply the changes.
+beside `Enable Secure Shell`. Then click the `Save` button at the bottom of the page to apply the changes.
 
 From your host machine we can now transfer the vulnerable package to the pfSense VM using `scp`
 

documentation/modules/exploit/windows/fileformat/microsoft_windows_contact.md

@@ -11,7 +11,7 @@ unexpected to an end user.
 
 Executable files can live in a sub-directory so when the ".contact" website link
 is clicked it traverses directories towards the executable and runs.  Making
-matters worse is if the the files are compressed then downloaded "mark of the
+matters worse is if the files are compressed then downloaded "mark of the
 web" (MOTW) may potentially not work as expected with certain archive utilitys.
 The "." chars allow directory traversal to occur in order to run the attackers
 supplied executable sitting unseen in the attackers directory.  This advisory is

documentation/modules/exploit/windows/local/tokenmagic.md

@@ -29,7 +29,7 @@ the powershell script manually after some edits to accomplish access to a Window
 ## Options
   **METHOD**
   Select between DLL hijacking and service exploitation
-  * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
+  * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
   * SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with `SYSTEM` level privileges
 
   **SERVICE_FILENAME**

documentation/modules/payload/windows/meterpreter/reverse_tcp.md

@@ -456,7 +456,7 @@ To learn more about the Python extension, please read this [wiki](https://docs.m
 There are three mains ways that you can use for moving around inside a network:
 
  - The route command in the msf prompt
- - The route command in the the Meterpreter prompt
+ - The route command in the Meterpreter prompt
  - The portfwd command
 
 ***Routing through msfconsole***

documentation/modules/post/windows/manage/vss.md

@@ -59,7 +59,7 @@ meterpreter > background
 [*] Backgrounding session 2...
 ```
 
-Next, use the VSS module to the the storage information and then create a shadow copy of the `C:` drive (the default
+Next, use the VSS module to the storage information and then create a shadow copy of the `C:` drive (the default
 value).
 
 ```

lib/msf/core/exploit/remote/http/manage_engine_adaudit_plus/json_post_data.rb

@@ -37,7 +37,7 @@ def generate_gpo_watcher_data_json(options)
 
   # Returns a String matching the VER_FILE_NAME format used by ADAudit Plus
   #
-  # @return [String] Randomly generated String matching the the VER_FILE_NAME format used by ADAudit Plus
+  # @return [String] Randomly generated String matching the VER_FILE_NAME format used by ADAudit Plus
   def generate_ver_file_name
     "#{rand(1..9)}_#{Rex::Text.rand_text_alphanumeric(18)}".downcase + '.xml'
   end

modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb

@@ -32,7 +32,7 @@ def initialize(info = {})
 
           By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a
           datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated
-          to the J-Web application, in order to overwrite the the root password hash. If there is no user
+          to the J-Web application, in order to overwrite the root password hash. If there is no user
           authenticated to the J-Web application this method will not work. The module then authenticates
           with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
         },

modules/exploits/linux/misc/cisco_ios_xe_rce.rb

@@ -196,7 +196,7 @@ def exploit
       end
 
       # Execute our bootstrap script via mcp_chvrf.sh, and with 'global' virtual routing and forwarding (vrf) by
-      # default. The VRF allows the executed script to route its network traffic back the the framework. The map_chvrf.sh
+      # default. The VRF allows the executed script to route its network traffic back the framework. The map_chvrf.sh
       # scripts wraps a call to /usr/sbin/chvrf, which will conveniently fork the command we supply.
       success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do
         next run_os_command("/usr/binos/conf/mcp_chvrf.sh #{datastore['CISCO_VRF_NAME']} sh #{bootstrap_file}", admin_username, admin_password)

modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb

@@ -108,7 +108,7 @@ def password
 
   def delete_alert(adapcsrf_cookie)
     print_status("Attempting to delete alert profile #{@alert_name}")
-    # let's try and get the the ID of the alert we want to delete
+    # let's try and get the ID of the alert we want to delete
     res_get_alert = send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'api', 'json', 'leftTrees', 'getLeftTreeList'),
       'method' => 'POST',
@@ -590,7 +590,7 @@ def on_new_session(cli)
     # if we wrote a PowerShell script to /alert_scripts, remind the user to delete it
     # we may get two shells, so let's not repeat ourselves
     if @pwned == 1
-      # I noticed the the meterpreter payloads wouldn't always load stdapi and/or priv automatically
+      # I noticed the meterpreter payloads wouldn't always load stdapi and/or priv automatically
       # but when loading them manually, they worked it fine
       if datastore['PAYLOAD'] =~ /meterpreter/ # I tried using cli.type == 'meterpreter' but that broke the module for some reason
         print_warning("If the client portion of stdapi or priv fails to load, you can do so manually via 'load stdapi' and/or load priv'")

spec/msf/core/auxiliary/auth_brute_spec.rb

@@ -369,7 +369,7 @@ def self.tempfile(content)
 
         it_behaves_like(
           '#each_user_pass',
-          context: 'when the the user / password files contain duplicate values',
+          context: 'when the user / password files contain duplicate values',
           datastore: {
             'USER_FILE' => tempfile("user1\nuser2\nuser3\n" * 3),
             'PASS_FILE' => tempfile("pass1\npass2\npass3\n" * 3),