This week's release updates Metasploit to version 4.11.1, which includes the following new features and modules.
Pause and Resume Credentials Reuse Tasks (PRO/ULTIMATE ONLY)
You can now pause and resume a Credentials Reuse task. This very useful enhancement enables you to stop a Credentials Reuse task while it's running and continue it at a later time. All the current stats and data is saved so that you don't have to restart the task completely. Bonkers right?
Remember back in November when we announced that Ruby 1.9.3 will reach end of life by February 2015? Well, the time has arrived. Ruby 1.9.3 has been updated to 2.1.5. For more information on the Ruby upgrade and to see how it affects you, see Tod Beardsley's awesome post Metasploit Weekly Wrapup: New Rubies!
New Modules for Everyone
This week's release contains 1 new exploit module and 6 new auxiliary and post-exploitation modules.
- MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape by juan vazquez, Henry Li, and Unknown exploits CVE-2015-0016
Auxiliary and Post-Exploitation Modules
- ManageEngine Multiple Products Arbitrary Directory Listing by Pedro Ribeiro exploits CVE-2014-7863
- ManageEngine Multiple Products Arbitrary File Download by Pedro Ribeiro exploits CVE-2014-7863
- Multi Gather RubyGems API Key by Brandon Myers and Jonathan Claudius
- Windows Escalate Golden Ticket by Ben Campbell
- Windows Gather Active Directory Users by Ben Campbell and Carlos Perez
Notable Fixes and Changes
PR #4388: Added Kerberos Golden Ticket module
PR #4392: Added a post module to enumerate AD users
PR #4601: Added a CLI tool to look up MD5 hashes, saving cracking time
PR #4642: Fixed blank username direct search for creds -u command
PR #4643: Fixed a bug where blank usernames could cause stack traces
PR #4645: Added a RubyGems API key stealer
PR #4647: Fixed BrowserExploitServer's get_module_resource nil error
PR #4648: Fixed security issue with YAML parsing target (untrusted) data (vuln never shipped in binary installers)
PR #4652: Updated SVG exploit for CVE-2013-2551 to use BrowserExploitServer
PR #4655: Added a custom 404 option to BrowserExploitServer
PR #4658: Added module for ManageEngine arbitrary file download module, 2014-7863
PR #4659: Added a module for ManageEngine directory listing, CVE-2014-7863
PR #4660: Enabled a check() for mssql_payload
PR #4663: Changed msfvenom -l output to stdout, rather than stderr
PR #4666: Improved meterpreter file upload command
PR #4673: Fixed screenshot -v command
PR #4674: Added ability of msfconsole to read stdin as '-'
PR #4675: Added Wordpress XML-RPC GHOST scanner for CVE-2015-0235
PR #4683: Added Struts 1 support for struts_code_exec_classloader for CVE-2014-0114
PR #4692: Added exploit for MS15-004, TsWbPrxy.exe exploit
PR #4701: Fixed slow search error
PR #4704: Added Asterisk 1.8 support for IAX2 stack
- Pro: Ruby 1.9.3 has been upgraded to Ruby 2.1.5.
- Pro: The ability to pause and resume a Credentials Reuse task has been added.
- Pro: Due to how Rails manages tokens, it was possible for an attacker with a man in the middle stance to steal and replay a session token to log back in to the web interface. Now, when a user logs in or logs out of the web interface, the user's previous session token will be now be invalidated, which will prevent the old token from being replayed. Thank you Abhinav Mishra for discovering and helping us resolve this issue.
- Pro: The social engineering feature will no longer be available after the free Pro trial expires.
- Pro: Exception pushes from the Vulnerability Validation Wizard to Nexpose now work as expected.
- Pro: The Rapid7 EULA has been updated.
Updating from the Web Interface
If you are updating Metasploit from the web interface, the interface may appear to freeze or take a long time to complete. If the update takes longer than 5 minutes, you must restart your web browser and log in to Metasploit again. If you are able to log in, the update was able to successfully complete.
Upgrading after December 23. 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from erayymz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.0 updates to 4.11.1-2015021201
MSF3 4.11.0 updates to 4.11.1-2015021201