This week's release includes 4 exploitation modules and 3 auxiliary and post-exploitation modules.
- HP Client Automation Command Injection by juan vazquez and Ben Turner exploits ZDI-15-038
- WordPress Admin Shell Upload by Rob Carr
- WordPress Holding Pattern Theme Arbitrary File Upload by Alexander Borg and Rob Carr exploits CVE-2015-1172
Auxiliary and Post-Exploitation Modules
- WordPress Ultimate CSV Importer User Table Extract by James Hooker and Rob Carr
- Chef Web UI Brute Force Utility by hdm
- Zabbix Server Brute Force Utility by hdm
Notable Fixes and Changes
- #1396: Added http_proxy_pstore stager from @somename11111
- #3650: Added the last Meterpreter script ever (image saving from the target)
- #4706: Added NTLMSSP support for smb_relay
- #4769: Added a module for Wordpress holding-pattern theme
- #4770: Added a module for Wordpress Ultimate CSV Importer
- #4781: Fixed the resolve_sid failure when enumerating user profiles (7 days ago)
- #4787: Added new Zabbix and Chef LoginScanners
- #4788: Added support for new versions for splunk_web_login
- #4795: Updated f5_bigip_cookie_disclosure
- #4801: Added a module for QConvergeConsole Tomcat creds
- #4804: Added a module for HP Client Automation Command Injection
- #4808: Addeed a generic Wordpress plugin upload module
- #4819: Normalized HTTP LoginScanner modules
- #4824: Handle ICMP "protocol not available" errors as connection errors
- #4813: Fixed a bug with print_* in LoginScanners
- Pro: The Payload Generator now respects the "Preserve original functionality" option.
- Pro: The Passive Network Discovery Findings now shows the correct count for the Hosts Found stat.
- Pro: A host can no longer have two services with the same port and protocol.
Upgrading after December 23. 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from erayymz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.1 updates to 4.11.1-2015022301
MSF3 4.11.1 updates to 4.11.1-2015022301