This week's release includes 2 exploit modules.
- CMS Bolt File Upload Vulnerability by Roberto Soares Espreto and Tim Coen
- MS15-100 Microsoft Windows Media Center MCL Vulnerability by sinn3r exploits CVE-2015-2509
Notable Fixes and Changes
- PR #5865: Added support for x64 executable payload injection
- PR #5944: Updated nmap parser to mark open|filtered ports as unknown
- PR #5949: Updated Android remove_lock_root to check for root access
- PR #5953: Added exploit for Bolt CMS File Upload Vulnerability
- PR #5964: Added Meterpreter support for OS X post modules
- PR #5965: Improved Shodan search error logging
- PR #5967: Fixed a Nil bug fix in the SSO gather module
- PR #5971: Added an exploit for MS15-100 Win Media Center MCL Vulnerability
- PR #5974: Improved reliability of java_jmx_server
- PR #5977: Improved reliability SMB fingerprinting when there are no login credentials
- Pro: MSP-13207: The Credentials table no longer displays transitions when you click on a credential to view its details page.
- Pro: MSP-13222: The Hosts table now displays the message "No hosts are associated with this project" when the project does not contain any hosts.
- Pro: MSP-13250: WfsDelay only increases during dynamic stager generation.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.4 updates to 4.11.4-2015091503