- Jenkins CLI RMI Java Deserialization Vulnerability by juan vazquez, Christopher Frohoff, Dev Mohanty, Louis Sato, Steve Breen, Wei Chen, and William Vu exploits CVE-2015-8103
- phpFileManager 0.9.8 Remote Code Execution by Jay Turla and hyp3rlinx
- Legend Perl IRC Bot Remote Code Execution by Jay Turla exploits OSVDB-121681
- Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution by Conor Patrick, Jay Turla, and Matt Thayer
- ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability by sinn3r exploits CVE-2015-8249
Auxiliary and Post-Exploitation Modules
Notable Fixes and Changes
- PR #4489: Improved path handling and more in SMB auxiliary modules
- PR #6057: Added a post module for dumping Windows Bitlocker master keys
- PR #6197: Added a post module for enumerating AV exclusions
- PR #6266: Added an RSYNC credentials scraper
- PR #6303: Added an exploit for phpFileManager 0.9.8 Remote Code Execution
- PR #6307: Added an exploit for Xdh / LinuxNet Perlbot/ fBot Remote Code Execution
- PR #6315: Added support for Meterpreter migrating to processes by name
- PR #6322: Added an exploit for Legend Perl IRC Bot Remote Code Execution
- PR #6329: Fixed Linux / Windows support for Offensive Security sound scheme
- PR #6338: Added an exploit for Jenkins CLI Java serialization bug CVE-2015-8103
- PR #6343: Updated Nokogiri to 1.6.7 to fix local vulnerabilities
- PR #6344: Added an exploit for ManageEngine ConnectionId Arbitrary File Upload R7-2015-22 / CVE-2015-8249
- PR #6326: Updated to RSpec 3.x
- Pro: MS-820: Nokogiri gem has been updated to version 1.6.7.
Offline Update File
To download the offline file for this update, go to http://updates.metasploit.com/packages/688404aab78ae5cffdf3ec08ea61726dd51b9ad7. bin.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.5 updates to 4.11.5-20150121501