Metasploit 4.6.1 Released
This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly.
This release also fixes a few minor issues in Metasploit Pro that affected a handful of users -- you can read up on what exactly has changed in the release notes. As usual, it's a little bigger than you might expect from your typical update, given the changes in the installer code, so give it a couple extra minutes to download and do its update thing.
If you've been watching this space, you'll know that we've been on the prowl for a summer intern. Welp, the search is over -- we've managed to pick up a well-qualified college student who has a strong background in both IT ops and exploit dev. If you have Pull Requests in the metasploit-framework backlog, or aging bugs in the Redmine Issue Tracker, then you should expect to meet him soon as he validates your pulls and bugs and gets your stuff back on track (or mercilessly axed).
Of course, this sort of backlog validation doesn't have to land on in paid intern's lap. If you're looking to beef up your resume, know a thing or two about IT security and Ruby, and are handy with VMware or Vagrant, you are more than welcome to throw in as well. We can always use extra validation inputs to our bugs and PR's. Even if you're not here in the Mazes of Metasploit, fixing bugs and getting your name attached to Metasploit commits is a pretty decent reference all by itself, paid or not.
SVN is Still Mostly Dead
This week we've locked up our SVN server at http://www.metasploit.com/svn with a pretty unguessable username and password. This is to discourage people from following the piles of pre-2011 documentation that's out there. The SVN lockdown is described at http://r-7.co/MSF-SVN in more detail, but the moral of the story is, don't even try to guess the password, and don't try to use your e-mail password or GitHub password or anything like that. The whole point of this new behavior is to merely transmit the instructions to move to Git in the WWW-Authenticate header.
We've a fairly huge bucket full of exploits and auxiliary modules this week. Sixteen total, mostly around our 2013 theme of home access points and SAP installations. We're also shipping Juan's 1Day exploit for Mutiny appliances this week, as well as an exe dropper for SSH sessions from Spencer McIntyre and Brandon Knight.
Oh, and did you hear about the Linode compromise? Part of the incident centered around recent ColdFusion bugs. Now, I'm sure ColdFusion is a delightful language to work in and if you're CFM artiste, you probably have a ball every day working on your codebase. That said, it's not super popular language here in the 21st Century. This usually means that you're stuck with legacy-flavored security bugs, like the directory traversal vulnerability exercised by Hack The Planet and ported to Metasploit by Wei @_sinn3r Chen.
- D-Link DIR615h OS Command Injection by juan vazquez and Michael Messner exploits OSVDB-90174
- Linksys WRT160nv2 apply.cgi Remote Command Injection by juan vazquez and Michael Messner exploits OSVDB-90093
- Mutiny 5 Arbitrary File Upload by juan vazquez exploits CVE-2013-0136
- Kloxo Local Privilege Escalation by juan vazquez and HTP
- SAP Management Console OSExecute Payload Execution by juan vazquez and Chris John Riley
- SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution by nmonkee
- SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution by nmonkee
- SSH User Code Execution by Brandon Knight and Spencer McIntyre exploits CVE-1999-0502
- ERS Viewer 2011 ERS File Handling Buffer Overflow by juan vazquez and Parvez Anwar exploits CVE-2013-0726
- DLink DSL 320B Password Extractor by Michael Messner exploits OSVDB-93013
- Mutiny 5 Arbitrary File Read and Delete by juan vazquez exploits CVE-2013-0136
- SAP SOAP EPS_DELETE_FILE File Deletion by Alexey Sintsov and nmonkee exploits OSVDB-74780
- ColdFusion 'password.properties' Hash Extraction by sinn3r and HTP exploits OSVDB-93114
- CouchDB Enum Utility by espreto
- SAP CTC Service Verb Tampering User Management by Alexandr Polyakov and nmonkee
- SAP SMB Relay Abuse by Alexey Tyurin and nmonkee
- SAP SOAP RFC EPS_GET_DIRECTORY_LISTING Directories Information Disclosure by nmonkee
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.