This weekly update contains one new exploit module and four new auxiliary and post modules.
- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation by Jay Smith and Matt Bergin exploits CVE-2014-4971
Auxiliary and post modules
- Microsoft SQL Server - Escalate Db_Owner by nullbind
- HP Operations Manager Perfd Environment Scanner by Roberto Soares Espreto
- Jenkins-CI Login Utility by Nicholas Starke
- ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module by Matthew Kienow exploits OSVDB-110555
Notable Fixes and Changes:
- #4030: Updated Meterpreter Gem to 0.0.10
- #4024: Modules will try TLSv1 first, then fall back to SSLv3/SSLv2
- #4025: Meterpreter handler accepts any SSL version for connect backs
- #4021: RPC connections will default to TLSv1
- #4012: Actions now listed in module info
- #3651: Bluetooth on XP local privilege escalation (unpatched)
- #3985: check() now elogs Ruby errors for easier troubleshooting
- Pro: The email server configuration for Social Engineering Campaigns now allows you to set the number of emails that are sent per batch, as well as the delay period between batches. This allows users to strike a balance between getting flagged as spam and sending out emails at a rate feasible for larger campaigns.
- Pro: The Shellshock information banner has been dropped. A new banner with details on POODLE changes has been added.
- Pro: Conditions were discovered in which the Quick PenTest and Web App Wizards would experience an error. This has been corrected.
How to Upgrade
Metasploit Pro is upgraded using the Administration menu and choosing the option Software Updates. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.10.0 updates to 4.10.0-2014101601
MSF3 4.10.0 updates to 4.10.0-2014101601