This weekly update contains two new exploit modules and three new auxiliary and post-exploitation modules.
- Centreon SQL and Command Injection by juan vazquez and MaZ exploits CVE-2014-3829
- Windows TrackPopupMenu Win32k NULL Pointer Dereference by juan vazquez, Spencer McIntyre, and Unknown exploits CVE-2014-4113
Auxiliary and Post-Exploitation Modules
- Western Digital MyBook Live Login Utility by Nicholas Starke
- LastPass Master Password Extractor by Alberto Garcia Illera, Jon Hart, and Martin Vigo
- Shell to Meterpreter Upgrade by Tom Sellers
Notable Fixes and Changes
- #2134: Significant reliability improvements to psexec_command module
- #3518: Fixed sadmind_exec module default payload selection
- #3561: Split unix cmd generic_sh encoder in to perl and echo versions (while avoiding issue #3991)
- #4045: Reorganized Msf::Module mixin namespace
- #4046: Added exploits for unpatched Centreon injection vulnerabilities (CVE-2014-3828 and CVE-2014-3829)
- #4064: Landed Windows local privilege escalation CVE-2014-4113
- #4070: EICAR integrity test fixed
- #4074 and #4075: RPC interfaces to creds restored (fix required for msfgui)
- #4077: Fixed via #4088
- #4080: TCP and TCPServer mixins prefer TLS1 now
- #4086: Added ability for user to set FTP PASV port
- #4088: Added exploit for wget CVE-2014-4877
- Pro: Duplicate hosts are no longer included in the host count on the Vulnerability Validation Findings. The Findings now displays accurate counts for imported hosts.
- Pro: The Metasploit installers now include Metasploit Nexpose Ultimate edition. Nexpose Ultimate customers can activate Metasploit Nexpose Ultimate edition using the license key provided by the Rapid7 sales team.
- Pro: The POODLE banner has been removed.
- Pro: The Metasploit installers now include the latest update, so it will no longer be necessary to perform a software update after installing Metasploit.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and choose the Software Updates option. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.
PRO 4.10.0 updates to 4.10.0-2014102901
MSF3 4.10.0 updates to 4.10.0-2014102901