Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you.
The sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core Developer, and all-around cool guy Mati "muts" Aharoni. Now when you get a new session, you'll be treated to his sultry voice congratulating you and when an exploit fails, he'll encourage you to try harder. Just type "load sounds" in
msfconsole to hear it in action.
We have eight new modules this week -- 5 exploits and 3 post modules. Among them is an exploit for Jenkins that takes advantage of the java deserialization issue brought to the world's attention by FoxGlove Security a few weeks ago. More exploits for similar vulnerabilities are undoubtedly on the way.
- Jenkins CLI RMI Java Deserialization Vulnerability by juan vazquez, Christopher Frohoff, Dev Mohanty, Louis Sato, Steve Breen, Wei Chen, and William Vu exploits CVE-2015-8103
- phpFileManager 0.9.8 Remote Code Execution by Jay Turla and hyp3rlinx
- Legend Perl IRC Bot Remote Code Execution by Jay Turla exploits OSVDB-121681
- Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution by Conor Patrick, Jay Turla, and Matt Thayer
- ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability by sinn3r exploits CVE-2015-8249
Auxiliary and post modules
- UNIX Gather RSYNC Credentials by Jon Hart
- Bitlocker Master Key (FVEK) Extraction by Danil Bazin
- Windows Antivirus Exclusions Enumeration by Andrew Smith and Jon Hart
As always, you can get all these modules and improvements with a simple
msfupdate and the full diff is available on GitHub: 4.11.5-2015120901...4.11.5-2015121501