This update includes seven new modules, including exploits for Novell File Reporter (NFR), Gentoo Webmin, Linux, qdPM, Microsoft Internet Explorer, and Oracle Business Transaction Management (BTM). Note that the MSIE exploit shipped previously as part of a special out-of-band update.
In addition, this update fixes two reported issues.
- Linux udev Netlink Local Privilege Escalation by egyp7, Jon Oberheide, and kcope exploits CVE-2009-1185
- qdPM v7 Arbitrary PHP File Upload Vulnerability by sinn3r and loneferret exploits OSVDB-82978
- Webmin /file/show.cgi Remote Command Execution by juan vazquez and unknown exploits CVE-2012-2982
- Microsoft Internet Explorer execCommand Use-After-Free Vulnerability by sinn3r, juan vazquez, binjo, eromang, and unknown exploits OSVDB-85532
- Oracle Business Transaction Management FlashTunnelService Remote Code Execution by sinn3r, juan vazquez, and rgod exploits OSVDB-85087
- Novell File Reporter Agent Arbitrary File Delete by juan vazquez and Luigi Auriemma exploits CVE-2011-2750
- Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access by juan vazquez and unknown exploits CVE-2012-2983
#7242 : ie_execcommand_uaf no longer raises an error when auto targeting fails
#7226 : DNS names as an RHOST are no longer incorrectly reported in some cases
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.4.0 updates to 2012091901
MSF3 4.4.0 updates to 20120091901