This week's release includes 6 exploit modules and 3 auxiliary and post-exploitation modules.
- Watchguard XCS Remote Command Execution by Daniel Jensen
- Watchguard XCS FixCorruptMail Local Privilege Escalation by Daniel Jensen
- Simple Backdoor Shell Remote Code Execution by Jay Turla
- Zemra Botnet CnC Web Panel Remote Code Execution by Angel Injection, Darren Martyn, and Jay Turla
- Kaseya VSA uploader.aspx Arbitrary File Upload by Pedro Ribeiro exploits ZDI-15-449
- ManageEngine EventLog Analyzer Remote Code Execution by xistence
Auxiliary and Post-Exploitation Modules
Notable Fixes and Changes
- PR #5380: Added pageantjacker module to Meterpreter, allowing remote access to a pageant SSH agent
- PR #5510: Updated x86/alpha* encoders to be SaveRegister aware, fixed handler support
- PR #5518: Updated TFTP::Client to retransmit lost data blocks on upload
- PR #5638: Added an exploit for Watchguard XCS unauthenticated root access
- PR #5799: Refactored WinSCP module and library code to be usable for external tools
- PR #5911: Added a parameter to Meterpreter ADSI enumeration to output to a file (-o)
- PR #5935: Updated the final batch of modules to use the metasploit-credential API
- PR #5946: Added the simple_backdoors_exec module for unauthenticated web backdoor shells
- PR #5981: Added an exploit for ManageEngine EventLog Analyzer remote code execution
- PR #5983: Added an auxiliary module for port-mapping UPnP
- PR #5990: Fixed reverse_hop_http to work with the new Meterpreter UUID URI scheme
- PR #5993: Fixed handling of ADSI exceptions
- PR #5997: Fixed database cache updater
- PR #5998: Fixed crashes with stageless Meterpreter using PrependMigrate
- PR #6003: Fixed incorrect results using 64-bit BSD IPv6 payloads with a signed port number
- PR #6005: Updated to recog to 2.0.14 (see PR for individual fixes)
- PR #6007: Workaround modules not ready to handle capture_sendto failing
- PR #6010: Fixed 21 modules using capture_sendto incorrectly
- PR #6013: Added mainframe as a platform and architecture
- PR #6016: Improve resiliency (and fix a 6 year old bug) in windows x64 TCP stagers
- PR #6018: Added an exploit for Kaseya VSA privilege escalation (ZDI-15-448)
- PR #6019: Added an exploit for Kaseya VSA RCE (ZDI-15-449)
- PR #6022: Added an exploit for Zemra CnC Web Panel RCE
- PR #6027: Provide better log messages for verb_auth_bypass
- PR #6029: Added Windows 10 support for bypassuac_injection
- PR #6030: Added the Microsoft Patch Finder for automatically downloading and discovering patches
- PR #6031: Deleted unused -a db_export option
- PR rapid7/metasploit-payloads#31: Added Windows 10 detection to Meterpreter
- PR rapid7/metasploit-payloads#32: Fixed switching Meterpreter transports on SSL cert validation failures
- PR rapid7/metasploit-payloads#33: Fixed running android meterpreter without a context
- Pro: MSP-13106: Task chains now generate reports without error.
- Pro: MSP-13216: Minor style changes have been made to the import page.
- Pro: MSP-13219: The Comments field on the vulnerability details page now uses the same style button as the rest of the application to display the full comment.
- Pro: MSP-13321: The Status column for the Notes table now displays critical notes.
- Pro: MSP-13236: The ability to go to the Task log or stay on the Vulnerabilities Index after pushing data to Nexpose has been added.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.4 updates to 4.11.4-20150100401