This week's release includes 2 exploit modules and 1 auxiliary and post-exploitation module.
Auxiliary and Post-Exploitation Modules
Notable Fixes and Changes
- PR #3950, Added multiple encoder chaining
- PR #4784, Added an exploit for JBoss Seam 2 upload execution
- PR #5015, Added a file traversal scanner for RIPS
- PR #5023, Added support for IE11 in fingerprint_user_agent
- PR #5046, Overhauled Meterpreter's transport mechanism to allow for hot-swapping
- PR #5050, Added an exploit for Solarwinds Firewall Security Manager
- PR #5051, Enhanced mssql_enum_domain_accounts_sqli
- PR #5058, Added workspace saving via msfconsole's save command
- PR #5061, Updated the Unix passwords list
- PR #5065, Fixed uri_checksum for reverse payloads
- PR #5067, Added a new standalone jsobfu
- PR #5072. Added support for embed payload UUIDs
- PR #5076, Fixed a bug in the gpp post module with selecting DCs
- PR #5077, Fixed a bug in the constants for the netapi post module
- PR #5082, Added firefox_proxy_prototype to browser autopwn
- PR #5083, Added format string for workspace name in the msfconsole prompt
- PR #5088, Fixed a bug where 'connect' sockets could close prematurely
- PR #5093, Ensure vulns are reported even when the module isn't in the cache yet
- PR #5032, Add stageless meterpreter for 64-bit
- Pro: Vulnerabilities can now be added to the database while the module cache is being populated.
- Pro: Collecting loot from a compromised host no longer results in a stack trace.
- Pro: CSRF token on login page and also disable users for ten minutes after five unsuccessful logins. The Metasploit login page now respects CSRF tokens and prevents bruteforce attacks. Users will not be able to log in to the web interface for 10 minutes after 5 unsuccessful logins. Thank you to Mohamed Abdelbaset Elnoby, a security evangelist, for bringing this to our attention.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.1 updates to 4.11.1-2015040801
MSF3 4.11.1 updates to 4.11.1-2015040801