CERTCC
diff --git a/‎db/modules_metadata_base.json‎
Lines changed: 88 additions & 52 deletions b/‎db/modules_metadata_base.json‎
Lines changed: 88 additions & 52 deletions
diff --git a/‎docs/metasploit-framework.wiki/Pivoting-in-Metasploit.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/metasploit-framework.wiki/Pivoting-in-Metasploit.md‎
Lines changed: 2 additions & 2 deletions
@@ -9585,7 +9585,7 @@
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-06-23 09:30:35 +0000",
+    "mod_time": "2026-03-31 12:39:21 +0000",
     "path": "/modules/auxiliary/admin/oracle/oraenum.rb",
     "is_install_path": true,
     "ref_name": "admin/oracle/oraenum",
@@ -10668,7 +10668,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2025-05-26 20:49:19 +0000",
+    "mod_time": "2026-03-31 12:39:21 +0000",
     "path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb",
     "is_install_path": true,
     "ref_name": "admin/scada/modicon_password_recovery",
@@ -49520,7 +49520,7 @@
     "autofilter_ports": [],
     "autofilter_services": [],
     "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2026-03-31 12:39:21 +0000",
     "path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/ib_service_mgr_info",
@@ -51784,7 +51784,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2026-03-31 11:35:34 +0000",
+    "mod_time": "2026-03-31 14:32:46 +0000",
     "path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
     "is_install_path": true,
     "ref_name": "scanner/oracle/isqlplus_sidbrute",
@@ -109142,6 +109142,86 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/freescout_htaccess_rce": {
+    "name": "FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass",
+    "fullname": "exploit/multi/http/freescout_htaccess_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2026-03-01",
+    "type": "exploit",
+    "author": [
+      "offensiveee",
+      "Nir Zadok (nirzadokox) <OX Security>",
+      "Moses Bhardwaj (MosesOX) <OX Security>",
+      "Valentin Lobstein <chocapikk@leakix.net>"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution vulnerability\n          in FreeScout <= 1.8.206 (CVE-2026-28289). The sanitizeUploadedFileName()\n          function checks for dot-prefixed filenames before stripping Unicode format\n          characters (ZWSP U+200B), allowing .htaccess upload via email attachment.\n\n          A crafted email is sent via SMTP to a FreeScout mailbox. When fetched by\n          the IMAP/POP3 cron (typically every 60s), the ZWSP is stripped and the\n          attachment is stored as .htaccess. The file uses SetHandler to make itself\n          executable as PHP, achieving code execution when requested via HTTP.\n\n          Requires a valid mailbox email address and web-accessible attachment\n          storage (storage:link pointing to storage/app/).",
+    "references": [
+      "CVE-2026-28289",
+      "CVE-2026-27636",
+      "GHSA-5gpc-65p8-ffwp",
+      "GHSA-mw88-x7j3-74vc",
+      "URL-https://www.ox.security/blog/freescout-rce-cve-2026-28289/",
+      "URL-https://www.ox.security/blog/freescout-rce-cve-2026-27636/"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd, x86, x64",
+    "rport": 25,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443,
+      25,
+      465,
+      587,
+      2525,
+      25025,
+      25000
+    ],
+    "autofilter_services": [
+      "http",
+      "https",
+      "smtp",
+      "smtps"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Linux Dropper",
+      "Windows Command Shell",
+      "Windows Dropper"
+    ],
+    "mod_time": "2026-03-27 19:30:47 +0000",
+    "path": "/modules/exploits/multi/http/freescout_htaccess_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/freescout_htaccess_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Mail2Shell"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/gambio_unauth_rce_cve_2024_23759": {
     "name": "Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability",
     "fullname": "exploit/multi/http/gambio_unauth_rce_cve_2024_23759",
@@ -194493,51 +194573,6 @@
     "needs_cleanup": null,
     "actions": []
   },
-  "exploit_windows/local/persistence": {
-    "name": "Windows Persistent Registry Startup Payload Installer",
-    "fullname": "exploit/windows/local/persistence",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2011-10-19",
-    "type": "exploit",
-    "author": [
-      "Carlos Perez <carlos_perez@darkoperator.com>",
-      "g0tmi1k"
-    ],
-    "description": "This module will install a payload that is executed during boot.\n          It will be executed either at user logon or system startup via the registry\n          value in \"CurrentVersion\\Run\" (depending on privilege and selected method).",
-    "references": [],
-    "platform": "Windows",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Windows"
-    ],
-    "mod_time": "2025-06-23 12:43:46 +0000",
-    "path": "/modules/exploits/windows/local/persistence.rb",
-    "is_install_path": true,
-    "ref_name": "windows/local/persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "unknown-reliability"
-      ],
-      "Stability": [
-        "unknown-stability"
-      ],
-      "SideEffects": [
-        "unknown-side-effects"
-      ]
-    },
-    "session_types": [
-      "meterpreter"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
   "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": {
     "name": "Plantronics Hub SpokesUpdateService Privilege Escalation",
     "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc",
@@ -203694,7 +203729,8 @@
     "name": "Windows Registry Only Persistence",
     "fullname": "exploit/windows/persistence/registry",
     "aliases": [
-      "exploits/windows/local/registry_persistence"
+      "exploits/windows/local/registry_persistence",
+      "exploits/windows/local/persistence"
     ],
     "rank": 600,
     "disclosure_date": "2015-07-01",
@@ -203719,7 +203755,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2026-01-08 21:00:39 +0000",
+    "mod_time": "2026-02-21 09:15:56 +0000",
     "path": "/modules/exploits/windows/persistence/registry.rb",
     "is_install_path": true,
     "ref_name": "windows/persistence/registry",
@@ -282290,7 +282326,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2025-09-08 17:30:59 +0000",
+    "mod_time": "2026-03-31 12:39:21 +0000",
     "path": "/modules/post/windows/gather/credentials/credential_collector.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/credentials/credential_collector",
 
@@ -444,7 +444,7 @@ Now edit the `proxychains` configuration file located at `/etc/proxychains.conf`
 socks5 127.0.0.1 1080
 ```
 
-The final final should look something like this:
+The final file should look something like this:
 
 ```ini
 # proxychains.conf  VER 3.1
@@ -567,7 +567,7 @@ index.html             100%[===========================>]  57.34K  --.-KB/s    i
 ```
 
 ### Scanning
-For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UPD traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans.
+For scanning with Nmap, Zenmap, Nessus and others, keep in mind that ICMP and UDP traffic cannot tunnel through the proxy. So you cannot perform ping or UDP scans.
 
 For Nmap and Zenmap, the below example shows the commands can be used. It is best to be selective on ports to scan since scanning through the proxy tunnel can be slow.