This update includes 7 new modules, including exploits for Apache Struts, Apache Tomcat, Simple E-Document and SkyBlueCanvas CMS. It also contains a new modules for Drupal, ManageEngine, and Windows.
In addition, this update fixes 5 issues.
Update, 2014-Feb-10: The latest update, 2014020502, contains a fix for an issue that caused some server exploits to fail.
- Apache Struts 2 Developer Mode OGNL Execution by juan vazquez, Alvaro, Andreas Nusser, and Johannes Dahse exploits CVE-2012-0394
- Apache Tomcat Manager Authenticated Upload Code Execution by rangercha exploits ZDI-10-214
- Simple E-Document Arbitrary File Upload by Brendan Coles and vinicius777
- SkyBlueCanvas CMS Remote Code Execution by Scott Parish and xistence exploits CVE-2014-1683
Auxiliary and post modules
- Drupal OpenID External Entity Injection by juan vazquez and Reginaldo Silva exploits CVE-2012-4554
- ManageEngine Support Center Plus Directory Traversal by xistence exploits OSVDB-102656
- Windows Gather SmarterMail Password Extraction by sinn3r, Brendan Coles, and Joe Giron
Notable Changes and Resolved Issues
- 8749 - spawn_meterpreter does not respect user-specified LHOST and LPORT
- 8761 - Add suport for rhost, rport and peer for post modules
- Clarify message in CSV format error
- Fix Qualys imports
- ScanTask passes an array of IP addresses to the datastore
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.8.2 updates to 4.8.2-2014020501
MSF3 4.8.2 updates to 4.8.2-2014020501