This weekly update brings eight new modules, including a number of post-exploitation credential and file gathering modules. This update also includes modules for Micrsoft IIS, SugarCRM, Adobe Flash Player, and Apple iTunes. Additionally, this update resolves two outstanding bugs.
- MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass by sinn3r and Soroush Dalili exploits MS10-065
- SugarCRM unserialize() PHP Code Execution by sinn3r, juan vazquez, and EgiX exploits CVE-2012-0694
- Adobe Flash Player Object Type Confusion by sinn3r and juan vazquez exploits CVE-2012-0779
- Adobe Flash Player AVM Verification Logic Array Indexing Code Execution by mr_me and Unknown exploits CVE-2011-2110
- Apple iTunes 10 Extended M3U Stack Buffer Overflow by sinn3r and Rh0 exploits OSVDB-83220
- Windows Gather Group Policy Preference Saved Passwords by Ben Campbell, Loic Jaquemet, Rob Fuller, TheLightCosine, and scriptmonkey
- Windows Gather TortoiseSVN Saved Password Extraction by Justin Cacak
- Windows Gather Generic File Collection by 3vi1john and RageLtMan
Resolved Bugs & Changes
- #7022: PDF Parser assumes there's always a Size field, causing an exception
- #7026: Creating a task chain with a bruteforce that uses an IP range causes 500 error
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.3.0 (any revision) updates to 2012062701
MSF3 4.3.0 (any revision) updates to 2012062701