This week's release includes 4 exploit modules and 6 auxiliary and post-exploitation modules.
- F5 iControl iCall::Script Root Command Execution by Jon Hart and tom exploits CVE-2015-3628
- Chkrootkit Local Privilege Escalation by Julien "jvoisin" Voisin and Thomas Stangner exploits CVE-2014-0476
- Joomla Content History SQLi Remote Code Execution by Asaf Orpani and xistence exploits CVE-2015-7858
- BisonWare BisonFTP Server Buffer Overflow by Jay Turla, localh0t, and veerendragg exploits CVE-1999-1510
Auxiliary and Post-Exploitation Modules
- Veeder-Root Automatic Tank Gauge (ATG) Administrative Client by Jon Hart
- Jenkins Domain Credential Recovery by sinn3r and Th3R3p0
- Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, Jay Turla, and shinnai exploits CVE-2015-7603
- HTTP Git Scanner by Jon Hart and Nixawk
- OpenVPN Gather Credentials by Roberto Soares Espreto and rvrsh3ll
- Write Messages to Users by Jon Hart
Notable Fixes and Changes
- PR #5851: Improved Meterpreter session networking performance.
- PR #6108: Added a post module for grabbing OpenVPN credentials.
- PR #6129: Added an exploit for Joomla Content History SQLi remote code execution.
- PR #6201: Added an exploit for chkrootkit local privilege escalation exploit.
- PR #6220: Added a module for interacting with Veeder-Root Automatic Tank Gauges (ATGs).
- PR #6225: Added a post module for interacting with the Unix wall(1) and write(1) commands.
- PR #6227: Improved reverse_hop_http/s to work with new transport API.
- PR #6228: Added a local privileges execalation exploit for F5 BIG-IP iCall.
- PR #6233: Added a scanner for a Konica Minolta 1.0 FTP Utility directory traversal vulnerability.
- PR #6239: Added extra session info display to module output.
- PR #6240: Changed the default SMBDomain from 'WORKGROUP' to '.'
- PR #6243: Improved various modules to handle socket disconnections gracefully.
- PR #6246: Improved session creation to show errors if they occur.
- PR #6248: Removed documentation for non-existent 'interact' command.
- PR #6252: Added variable SLEEP_TIME option to registry_persistence local exploit.
- PR #6257: Added an aux module for locating git repos over HTTP.
- PR #6258: Improved smart_migrate to avoid unnecessary process migrations.
- PR #6259: Fixed error interacting with some versions of VMWare.
- PR #6261: Added verbose and timeout options to the module_ref tool.
- PR #6262: Handle running local exploits from a meterpreter session gracefully.
- PR #6263: Added an exploit for BisonWare BisonFTP Server buffer overflow.
- PR #6264: Added support for embedding python scripts in windows stageless Meterpreter.
- PR #6277: Added an aux module for Jenkins domain credential recovery.
- PR #6278: Fixed RHOST with owa_login scanner default value.
- PR #6281: Fixed modules to display https when SSL is enabled.
- PR #6282: Removed deprecated adobe_flash_pixel_bender_bof module.
- PR #6283: Fixed crash running staged payloads with windows/smb/ms08_067_netapi.
- Pro: MS-25: The RMI scanner now includes support for a number of additional RMI/JMX ports, including 999, 3333, 3900, 5999, 6060, 6789, 6996, 7878, 7890, 8050, 8051, 8085, 8091, 8642, 8701, 8686, 8888, 8999, 9001, 9003, 9004, 9005, 9050, 9090, 9300, 9500, 9711, 9875, 9910, 9991, 9999, 10001, 10099, 11001, 12000, 13013, 14000, 15000, 15001, 16000, 18980, 20000, 26256, 33000, and 50050.
- Pro: MS-116: Any Nexpose vulnerability that was compromised via auto-exploitation can be pushed back to Nexpose as a validation.
- Pro: MS-440: The 'Description' and 'Status' columns now display the correct data on the single vulnerability page.
- Pro: MS-404: Major improvements have been made to significantly increase the rate at which social engineering campaigns send e-mails.
- Pro: MS-161: The task log now shows time estimations for bruteforce tasks.
- Pro: MS-690: You can use the 'Cancel' button to close the Push Exceptions window on the Vulnerability Validation Findings window.
- Pro: MS-706: The task log now shows session information when the mssql_local_auth_bypass module is running. You can easily identify the host that the module is running against.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.4 updates to 4.11.4-201501113001