This update includes eleven new modules, including exploits for Symantec Messaging Gateway, JBoss, MobileCartly, HP SiteScope, and SAP NetWeaver.
In addition, this update fixes one bug.
#507: Zone transfers now do not throw errors for dns_enum
- Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability by sinn3r, Ben Williams, and Stefan Viehbock exploits CVE-2012-3579
- JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) by Jens Liebchen, Patrick Hof, and h0ng10 exploits CVE-2007-1036
- MobileCartly 1.0 Arbitrary File Creation Vulnerability by sinn3r and Yakir Wizman exploits BID-55399
- HP SiteScope Remote Code Execution by juan vazquez and rgod exploits ZDI-10-174
- SAP NetWeaver HostControl Command Injection by juan vazquez and Michael Jordon exploits OSVDB-84821
- SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow by juan vazquez and Martin Gallo exploits CVE-2012-2611
- Microsoft SQL Server - Find and Sample Data by Scott Sutherland, hdm, todb, Carlos Perez, Robin Wood, and humble-desser
- HP SiteScope SOAP Call getFileInternal Remote File Access by juan vazquez and rgod exploits ZDI-12-176
- HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access by juan vazquez and rgod exploits ZDI-12-173
- HP SiteScope SOAP Call loadFileContent Remote File Access by juan vazquez and rgod exploits ZDI-12-177
- Windows Manage Local Microsoft SQL Server Authorization Bypass by Scott Sutherland
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.4.0 updates to 2012090501
MSF3 4.4.0 updates to 20120090501