This update includes 9 new modules, including 8 exploits for Ruby on Rails, eXtplorer, Honeywell Temo Remote Installer, Internet Explorer, Enterasys Netsight, IBM Cognos and two Wordpress plugins. It also adds a new scanner for Ruby on Rails.
In addition, this updates fixes issue 7657, an issue with Netsparker imports, and an issue with activity exports.
- eXtplorer v2.1 Arbitrary File Upload Vulnerability by Brendan Coles exploits OSVDB-88751
- Ruby on Rails XML Processor YAML Deserialization Code Execution by hdm, charliesome, espes, and lian exploits CVE-2013-0156
- WordPress Plugin Advanced Custom Fields Remote File Inclusion by Charlie Eriksen exploits OSVDB-87353
- WordPress Plugin Google Document Embedder Arbitrary File Disclosure by Charlie Eriksen exploits CVE-2012-4915
- Honeywell Tema Remote Installer ActiveX Remote Code Execution by juan vazquez, Billy Rios, and Terry McCorkle exploits OSVDB-76681
- Microsoft Internet Explorer Option Element Use-After-Free by sinn3r, juan vazquez, and Ivan Fratric exploits MS11-081
- Enterasys NetSight nssyslogd.exe Buffer Overflow by juan vazquez, Jeremy Brown, and rgod exploits ZDI-11-350
- IBM Cognos tm1admsd.exe Overflow by juan vazquez and Unknown exploits ZDI-12-101
- Ruby on Rails XML Processor YAML Deserialization Scanner by hdm exploits CVE-2013-0156
- 7657 Fixed crash in smb_login when users/passwords contain a '%' character
- Fixed an issue with Netsparker imports
- Fixed an issue when exporting many activities
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.5.0 updates to 2013010901
MSF3 4.5.0 updates to 2013010901