This week's release includes 0 exploit modules and 2 auxiliary and post-exploitation modules.
Auxiliary and Post-Exploitation Modules
- Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner by Jon Hart and Lior Oppenheim exploits CVE-2014-9222
- Kippo SSH Honeypot Detector by Andrew Morris
Notable Fixes and Changes
#4335: Added WAR file upload JBoss exploit
#4368: Bumped credential gem version
- #4364: Modules respect bruteforce_speed again (issue #3904)
- Pro: The Credentials Domino MetaModule can be added to a task chain.
- Pro: Rails was upgraded to 3.2.21 to address CVE-2014-7829.
- Pro: Exported workspace Zip files now successfully generate when loot files are included.
- Pro: The Known Credentials Intrusion MetaModule now validates that logins exist in the project before it runs.
- Pro: The task log no longer includes a status for mutations if mutations are not selected for the Bruteforce task.
- Pro: When adding a Nexpose console, you can now include the protocol (e.g., https) when specifying the console address.
- Pro: The Bruteforce options are now all aligned with one another.
- Pro: The correct spelling of "Bruteforce" is consistently applied throughout the user interface.
- Pro: MetaModules are correctly cloned in a task chain.
Upgrading after December 23. 2014
If you did not update Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from erayymz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.0 updates to 4.11.0-2014122301
MSF3 4.11.0 updates to 4.11.0-2014122301