Metasploit Framework Changelog

What's new in Metasploit Framework 4.14.3

Jul 21, 2018

Bugs Fixed:
Pro: MS-3350 - The "Time Between Attempts" option for bruteforce attacks now works as expected. It increases the interval between login attempts.
Pro: MS-3230 - Report names are now optional. If the field is empty, the report uses the format: -.
PR 10241 - This fix resolves an issue with error handling in the Service Control Manager code in that prevented error messages from being logged as expected.
Enhancements and Features:
Pro: MS-3341 - To help us learn how we can improve features, Metasploit Pro now collects anonymous usage statistics. You can opt out of this if you prefer. Learn more about our privacy policy and how we handle your data at https://www.rapid7.com/trust.
PR 10107 - The scanner/smb/impacket/secretsdump module has been added to the framework as an external module.
PR 10171 - Post-exploitation modules are now available to activate the screensaver and open files with the default action for the desktop shell on Linux, Windows, and macOS.
PR 10251 - Metasploit will now log background connect attempts to the payload when a bind payload is used.
PR 10284 - Modules that do not have a CVE will return the "CVE: Not available" message when you run the `info` command. To learn more about why a CVE is not provided for the module, run the `info -d` command to read the documentation.
PR 10286 - A scanner for Docker servers listening on a TCP port (default 2375) is now available.
PR 10287 - A new advanced option is available that allows you to skip checking if a target of a Wordpress module is valid. This option helps you work around false negatives when new WP versions break our fingerprints.
New Exploits:
PR 9780 - This adds an exploit for CouchDB that leverages an auth bypass (if applicable) and the injection of a query server in the config to achieve remote code execution.
PR 10108 - The exploits/linux/http/ibm_qradar_unauth_rce module has been added to the framework. It exploits three vulnerabilities in the Forensics web application that allows an attacker to achieve unauthenticated remote code execution when they are chained together.
PR 10133 - The /exploits/linux/misc/hid_discoveryd_command_blink_on_unauth_rce module has been added to the framework. It exploits an unauthenticated remote command execution vulnerability in the discoveryd service exposed by HID VertX and Edge door controllers.
PR 10219 - The exploits/linux/http/hp_van_sdn_cmd_inject module has been added to the framework. It exploits a hardcoded service token or default credentials in HPE VAN SDN Controller

New in Metasploit Framework 4.14.2 (Dec 9, 2017)

New in Metasploit Framework 4.14.1 (Jul 26, 2017)

Bugs Fixed:
Pro: MS-2771 - This fix resolves an incorrect update to the campaign state when clicking Reset on a stopped Social Engineering campaign. This issue prevented you from changing the Target List of a Social Engineering campaign. Now, clicking Reset on a stopped Social Engineering campaign enables the Target List dropdown as expected.
Pro: MS-2576 - Future updates to Metasploit Pro should no longer require a browser refresh.
PR 8545 - This fix resolves a bug causing poor output from running the ps command in Meterpreter. Partial information about processes would prevent showing the whole table. Now, the table displays as expected.
PR 8601 - This fix resolves a bug in session logging that caused the final character of a line to be removed from the log. It also adds the session name (usually the number) to the file, which prevents multiple sessions to the same IP from writing to the same file.
PR 8604 - This fix resolves workspaces taking a long time to delete, even when there are few hosts or services. This problem is compounded when there are lots of event or session objects in the database. Now, rather than instantiating a ruby object for each object deleted, it lets the database do more of the work.
PR 8622 - This fix resolves command length issues due to constraints introduced by recent changes to the argument parser. The advanced short flag arguments of Meterpreter commands have been modified to be a single character.
PR 8624 - This fix resolves a bug causing the kiwi plugin to put hashes under the wrong header when displaying msv credentials.
PR 8634 - This fix resolves improper sending of the HTTP Host header. Now, the HTTP client library will always send an HTTP Host header if the host option is provided in an HTTP request call.
PR 8644 - This fix corrects the status message for the secure_auth variable in the auxiliary/admin/mysql/mysql_enum module. The text now corresponds to what is actually happening.
PR 8650 - This fix corrects the launch path used by the exploits/windows/scada/igss9_misc module for files generated in the C: directory.
PR 8681 - This fix resolves an issue causing the php/meterpreter/reverse_tcp payload to stop as soon as a callable method fails to establish a connection. The module now has the ability to try all available connection methods.
PR 8690 - This fix resolves a bug introduced recently in the Meterpreter download function code that inadvertently replaced previous options with new ones rather than combining the old and new options together. Now, the options are combined correctly.
PR 8699 - The Metasploit Vagrant environment has been updated to Ubuntu 16.04. Also, a compatibility issue with newer versions of rvm for provisioning Ruby has been resolved.
PR 8714 - This fix corrects a stack trace you might encounter when doing a file or directory download through a Meterpreter session.
PR 8729 - This fix resolves syntax warnings in PHP payloads about uninitialized constants, which can be used as an IOC during exploitation. The warnings are no longer triggered.
PR 8732 - This fix resolves an issue with newer Linux distributions causing carriage return characters, 'r', to be appended every time you press enter.
Enhancements and Features:
Pro: MS-2494 - We are have ended support for 32-bit systems. The ability to look for updates has been removed from 32-bit Windows and Linux installs. For more information, see http://r-7.co/2tdfCUg.
PR 8172 - Several example modules have been added for people to reference when learning how to write modules of their own.
PR 8205 - The auxiliary/scanner/telnet/satel_cmd_exec module has been added to the framework. This module exploits an OS Command Injection vulnerability in Satel SenNet Data Loggers to perform arbitrary command execution as 'root'. The results of commands are stored as loot by the module, so that the operator can collect information efficiently from an entire data logger network.
PR 8455 - The ability to mount remote VMDK (Virtual Machine Disk) files via the VMware vstor2 driver has been added. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.
PR 8513 - The ability to dynamically query Meterpreter sessions for support for various extapi commands, such as performing clipboard manipulation, has been added.
PR 8514 - The ability to persist your payload through WMI event subscription has been added. You can choose one of five methods: EVENT, INTERVAL, LOGON, PROCCESS, and WAITFOR. This module requires administrator privileges and a high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.
PR 8523 - Foundational support has been added for tracking a single active session across multiple transports changes, connections, and tunneling mechanisms. It is the first step in disassociating connections from the sessions.
PR 8549 - The Windows Meterpreter kiwi extension has been updated with the latest version of mimikatz, which adds the ability to change Windows passwords without triggering event logging via the password_change command.
PR 8566 - A login scanner module has been added for NNTP servers, which use a protocol old enough to drink...for a decade, now. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
PR 8575 - The auxiliary/gather/cerberus_helpdesk_hash_disclosure module has been added to the framework. This module can gather usernames and password hashes from vulnerable versions of the Cerberus Helpdesk application.
PR 8577 - The auxiliary/scanner/http/surgenews_user_creds module has been added, which exploits a vulnerability in the WebNews web interface of SurgeNews on TCP ports 9080 and 8119. Unauthenticated users can download arbitrary files from the software root directory, including the user database, configuration files and, log files. The module extracts the administrator username and password, and the usernames and passwords or password hashes for all users.
PR 8589 - Support for 64-bit platforms has been added to the winpmem extension, which allows remotely dumping running process memory.
PR 8599 - The ability to add or delete DNS records on any DNS server that allows unrestricted dynamic updates has been added.
PR 8603 - A verbose flag has been added to the keyscan_start command. The verbose flag can be used to log details about the program and the time that text was entered. Omitting the flag enables the older functionality of the keyscan_start command.
PR 8606 - Module search capability has been added to the remote RPC interface. This capability allows you to search msfrpc as you would msfconsole.
PR 8607 - Error handling has been added to the payloads/stagers/linux/x64/reverse_tcp module, preventing a noisy crash if the payload fails to stage or there is a network failure.
PR 8615 - The auxiliary/dos/cisco/ios_telnet_rocem module has been added to the framework. This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches.
PR 8629 - A new module reference type, AKA (also known as), has been added. You can use AKA references to map modules to a particular vulnerability's common name, which enables searching by that name.
PR 8631 - Support for Railgun calls on the OSX platform has been added to the Python Meterpreter.
PR 8638 - Compatibility with the Rubinius platform has been improved by removing an unsupported feature from the metasploit-concern gem. The Rubinius platform is a higher-performing alternate Ruby implementation.
PR 8653 - Error handling has been added to the payloads/stagers/linux/mipsbe/reverse_tcp module, preventing a noisy crash if the payload fails to stage or there is a network failure.
PR 8655 - Error handling has been added to the payloads/stagers/linux/mipsle/reverse_tcp module, preventing a noisy crash if the payload fails to stage or there is a network failure.
PR 8658 - The ability to download PDF files and extract the author's name from the document metadata has been added.
PR 8660 - Even more AKA references have been added.
PR 8671 - The ability to reset the password associated with any user ID for vulnerable versions of MantisBT has been added.
PR 8689 - The usability of Metasploit in Docker containers has been improved.
PR 8711 - Resource scripting on the fly through stdin is now supported in msfconsole.
New Exploits:
PR 8442 - The exploits/windows/backupexec/ssl_uaf module has been added to the framework. This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows (CVE-2017-8895). This allows you to remotely execute code over an unauthenticated network connection.
PR 8519 - The exploits/multi/http/apache_activemq_upload_jsp module has been added to the framework. This module exploits a vulnerability in Apache ActiveMQ 5.x before 5.14.0 that allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
PR 8586 - The exploits/windows/http/easychatserver_seh module has been added to the framework. This new module exploits vulnerable versions of Easy Chat Server, a Windows web-based chat application, to gain remote code execution.
PR 8600 - The exploits/linux/http/goautodial_3_rce_command_injection module has been added to the framework. This module achieves root-level command injection on vulnerable versions of GoAutoDial CE 3.3 call center software.
PR 8652 - The exploits/multi/misc/msf_rpc_console module has been added to the framework. This module connects to a specified Metasploit RPC server and uses the console.write procedure to execute operating system commands. So, you can exploit other Metasploit instances. Valid credentials are required to access the RPC interface.
PR 8723 - The exploits/windows/local/razer_zwopenprocess module has been added to the framework. The module exploits a vulnerability within the rzpnk.sys driver, Razer Synapse, where a specially crafted IOCTL can be used to open a handle to an arbitrary process with the necessary privileges to read, write, and allocate memory. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process.

New in Metasploit Framework 4.14.0 (May 13, 2017)

Bugs Fixed:
Pro: MS-2641 - The delete behavior is now more consistent across all settings on the Administration pages.
Pro: MS-2634 - This fix resolves an issue that prevented exports from being generated when a webpage with a null byte was scanned.
PR 8214 - This fix resolves an issue that prevented the correct commands from being used when communicating with an ELM327-based device via the HW Bridge ELM327 relay script.
PR 8288 - Unnecessary API calls have been removed from the wipg1000_cmd_injection module.
PR 8291 - The Acunetix importer can now import the web vulnerabilities and services scanned for each host.
PR 8300 - This fix addresses an issue that caused Meterpreter scripts to incorrectly check the platform.
PR 8306 - This patch fixes a bug where Phishing campaigns may fail to send all emails due to improperly-escaped periods. While this bug only effects certain types of SMTP servers and only when the emailed content ends with a lone period, this fix ensures all emails will be sent during a Phishing campaign.
PR 8322 - This fix resolves a nil bug that occurs when a nonexistent encoder is selected.
PR 8337 - The correct schema is now set for staged Meterpreter payloads.
Enhancements and Features:
PR 8225 - You can now parse and dump the wifi profiles from the shared folder from the SYSTEM account via the kiwi extension. This new command, wifi_list_shared, sits alongside wifi_list rather than replacing it. It allows you to access offline profiles because a user does not need to be signed in, which means that you can obtain wifi credentials regardless of system state.
PR 8259 - The post/multi/manage/upload_exec module has been added to the framework, which allows you to upload an executable and automatically execute it.
PR 8271 - DOUBLEPULSAR detection has been added to the MS17-010 scanner module.
PR 8277 - To improve the docker images, extra files have been removed, runtime dependencies have been reduced, and automatic regression testing has been added.
PR 8279 - The Mettle payloads have been renamed to Meterpreter, replacing the former x86-only Linux Meterpreter with a new multi-architecture implementation. It also adds stageless HTTP and HTTPS variants.
PR 8282 - Documentation has been added for the auxiliary/scanner/chargen/chargen_probe module.
PR 8285 - Documentation has been added for the auxiliary/scanner/x11/open_x11 module.
PR 8286 - Documentation has been added for the exploit/unix/x11/x11_keyboard_exec module.
PR 8301 - Unreliable checks have been removed from msftidy and new warnings for unused code have been added to it.
PR 8309 - You can now discover the operating system architecture of the DOUBLEPULSAR implant when running `auxiliary/scanner/smb/smb_ms17_010`.
PR 8325 - A `ncat --ssl` reverse shell payload has been added.
New Exploits:
PR 8254 - The exploit/windows/misc/hta_server module has been added to the framework. It exploits a Microsoft Office vulnerability that started off as an 0day being exploited in the wild. By using an OLE2 link object in a doc or RTF file, it is possible to abuse the HTA handler, which will allow the document to download a malicious HTA application and execute it.
PR 8263 - The exploit/linux/ssh/mercurial_ssh_exec module has been added to the framework. It allows a remote user with SSH access to an HG repository with a weak hg-ssh repo validation wrapper to break out of their restricted shell by tricking the HG binary to offering up a Python debugger session.
PR 8266 - The exploit/windows/http/disksorter_bof module has been added to the framework. It exploits a buffer overflow vulnerability in Disk Sorter Enterprise. By sending a specially crafted string in an HTTP GET request, you can gain arbitrary remote code execution under the context of SYSTEM.
PR 8270 - The exploit/linux/http/wipg1000_cmd_injection module has been added to the framework. It exploits a command injection vulnerability in the wePresent WiPG-1000 device.
PR 8316 - The exploit/unix/fileformat/ghostscript_type_confusion module has been added to the framework. It exploits a type confusion error in Ghostscript 9.21 and below.
Offline Update:
http://updates.metasploit.com/packages/9ad936e66360a993b5911251cbaf6e55ab362fdc.bin

New in Metasploit Framework 4.13.1 (Apr 1, 2017)

Bugs Fixed:
PR 7967 - The HW Bridge now displays human-readable info/details for Diagnostic Trouble Codes that are being reported by a vehicle.
PR 8019 - The post/multi/gather/firefox_creds module now runs better on Kali Linux and deals with directories that contain spaces correctly.
PR 8036 - Improvements were made to the run_as_psh module. This module lets you run an executable on a Windows machine as another user to authenticate and run an executable with domain credentials rather than local credentials.
PR 8038 - The com.metasploit.meterpreter.AndroidMeterpreter string has been removed from Payload.java because it was being flagged by AV on staged payloads.
PR 8056 - The Powershell mixin is now compatible with Python and Windows Meterpreter sessions, which allows modules like post/windows/gather/outlook to work properly.
PR 8070 - Some modules now use the `vars_get` parameter to `send_request_cgi` as per `msftidy`.
PR 8095 - The command stager in `exploit/windows/ssh/freesshd_authbypass` has been fixed so that it can find the VBS decoder that was moved to the `rex-exploitation` gem.
PR 8100 - Fixes and improvements were made to `msfcrawler`.
PR 8110 - This fix resolves an issue that prevented process migration through a specified process name from being handled as expected on Windows systems.
PR 8116 - This updates the telnet_version scanner to more gracefully handle an TCP reset while scanning hosts.
PR 8118 - The rails_secret_deserialization module has been updated to support dash '-' characters in the secret cookie.
PR 8119 - The rails_secret_deserialization module has been updated to support period characters in the secret cookie
PR 8128 - This fix resolves an error that occurs when canon_iradv_pwd_extract receives an unexpected response from the target host.
PR 8135 - Host names are now validated. If the host name is empty, it is set to the IP address.
PR 8141 - This fix resolves an issue that caused the `kill` command in Meterpreter to not work as expected.
Enhancements and Features:
PR 7835 - A new Windows Local Privilege Escalation exploit template has been added to the framework. It can be used in Visual Studio to create a new exploit that works inside of Metasploit Framework. The goal is to provide exploit developers to reference to follow when they create new exploits.
PR 7877 - The mDNS Spoofer module has been added to the framework. It listens for mDNS multicast requests on 5353/UDP for A and AAAA record queries and responds with a spoofed IP address (assuming the request matches our regex). Affected devices include, but are not limited to, Apple products, XBox 360s', routers, printers, etc.
PR 7935 - This patch allows the Hardware Bridge to interact with RF transceiver devices which are supported by rfcat. Additionally, two post modules (transmitter and rfpwnon) ported over from RfCatHelpers scripts are included with this patch.
PR 7949 - Documentation has been added for the `auxiliary/scanner/nfs/nfsmount` and `auxiliary/scanner/snmp/snmp_login` modules.
PR 8037 - Several fixes and improvements were made to priv_migrate (e.g. a migration is already running under SYSTEM and not downgrading a privileged shell).
PR 8058 - The Windows Meterpreter reverse_http/s stagers now have a configurable setting delay between connection attempts when the listener is unavailable. The default delay is 5 seconds. The stagers can be configured to continuously connect as well, rather than trying only a fixed number of times.
PR 8065 - Capabilities for scanning-and-locating nearby wireless ZigBee networks via the Metasploit HW Bridge has been added to the framework.
PR 8071 - Msfconsole can now send text messages that include malicious attachments.
PR 8077 - The `srvport` method has been added to `HttpServer`, which allows you to override the displayed `SRVPORT` with the `URIPORT` option.
PR 8078 - You can now specify a default resource for `HttpServer` through the use of a parameter to the `start_service` method.
PR 8079 - The unauth command exec has been added for dnaLims, as well as a directory traversal auxiliary module.
PR 8084 - You can now run the reload and recheck commands together.
PR 8088 - The enum_protection gather module for Linux can now report if a target system has getenforce (related to SELinux), aa-status (related to AppArmor), or gradm2 (related to Grsecurity) executables installed.
PR 8104 - Visual Improvements were made to the Unicode tree produced by WMAP plugin's `wmap_sites -s` command.
PR 8108 - The `-l` option has been added to the `load` command. You can use this option to list available plugins.
PR 8117 - The `pgrep` and `pkill` commands have been added the Meterpreter UI, which allows you to search for processes by name and kill them by name. Previously, you had to search for processes using `ps` and `kill` them by their PID.
PR 8130 - Documentation for the `winrm_script_exec` module has been added.
PR 8132 - Python 3 support has been added for the web_delivery module.
PR 8138 - This fix resolves an issue that caused the post/linux/gather/enum_system module to crash the Mettle payload. It also adds initial http/https transport support.
New Exploits:
PR 7781 - The IBM WebSphere RCE Java Deserialization Vulnerability exploit has been added to the framework. It exploits a vulnerability (CVE-2015-7450) in IBM's WebSphere Application Server.
PR 7956 - The QNAP NAS/NVR Administrator Hash Disclosure exploit has been added to the framework. It exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory.
PR 8076 - The easy_file_sharing_ftp module has been added to the framework. It performs a directory traversal attack against a vulnerable Easy File Sharing FTP Server and allows you to steal files outside the FTP directory.
PR 8086 - The Logsign Remote Command Injection module has been added to the framework. It provides remote exploitation for a command injection vulnerability in Logsign.
PR 8103 - An exploit for CVE-2017-5638 has been added to the framework. It targets a vulnerability in Apache Struts2's Jakarta Multipart Parser and allows an attacker to inject malicious code via the HTTP Content-Type header, which results in arbitrary remote code execution.
PR 8113 - A buffer overflow exploit for SysGauge 1.5.18 has been added to the framework.

New in Metasploit Framework 4.10.2 (Apr 1, 2017)

Exploit Modules:
Samsung Galaxy KNOX Android Browser RCE by Andre Moulu and joev exploits OSVDB-114590
MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability by Egidio Romano and Juan Escobar exploits CVE-2014-7146
MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python by sinn3r, juan vazquez, and Haifei Li exploits CVE-2014-6352
MS14-064 Microsoft Windows OLE Package Manager Code Execution by sinn3r, juan vazquez, and Haifei Li exploits CVE-2014-6352
Auxiliary and Post-Exploitation Modules:
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection by Pedro Ribeiro exploits CVE-2014-8499
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration by nullbind
Microsoft SQL Server - Escalate EXECUTE AS by nullbind
Microsoft SQL Server - SQLi Escalate Execute As by nullbind
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure by Pedro Ribeiro exploits CVE-2014-6039
Oracle TNS Listener Checker by ir0njaw (Nikita Kelesis)
Gather Quake Server Information by Jon Hart
UDP Scanner Example by Joe Contributor
Notable Fixes and Changes:
#4102: Use correct dest port for NBNS spoofer
#4177: Differentiate failed binds from connects (issue #4169)
#4179: Updated meterpreter_bins to 0.0.11 (fixes #3787)
#4181: Fixed a display bug where URIPORT appears to be 0 (fixes #4164)
#4185: Sandworm variant exploit (CVE-2014-6352)
#4188: Fixed a blank password bug (fixes MSP-11592)
#4191: Fixed 2.1 bug with respond_to? (issue #4163)
#4196: Added python-based UAC for MS14-064 (OLE bug)
#4197: Bug in blank username (fixes MSP-11609, fixes #4193)
#4198: Restored ability to import Metasploit V5 XML (issue #4184)
#4207: Support lazy thread creation for Framework (MSP-11605)
#4208: Fixed psexec file removal error (issue #4162)
#4209: Added wiki docs on how to use Rex::Zip::Archive
#4212: Added wiki docs on Rex::Proto::SMB Error messages
#4217: Fixed Browser AutoPwn detection error
#4226: Bundler error message more user-friendly on msfconsole (issue #4222)
#4153: Moved API docs to http://rapid7.github.io/metasploit-framework/api
Pro: The Selected Targets list on the Credentials Reuse workflow will now display and scroll properly regardless of the browser window size.
Pro: Importing an Nexpose XML file will no longer result in the "NoMethodError undefined method `gsub' for nil:NilClass" error. All Nexpose XML formats will now successfully import into a project.
Pro: Running msfconsole will no longer result in the "NoMethodError undefined method `dlopen' for Fiddle:Module" error and will successfully load on Windows systems.
Pro: Running the db_import command on msfconsole will now successfully import Version 4 and 5 XML export files. Rapid7 is currently working to add the ability to export and import workspace ZIP files to the Framework so that it can support full credential exports from the workspace.
Pro: Any MetaModule that requires a scope, such as the Known Credentials Intrusion MetaModule, will properly validate the provided host addresses before it runs. If an invalid scope is defined, the MetaModule will display an error message and will not run until a valid scope is provided.
Pro: Ruby was updated to Ruby 1.9.3-p551 to address CVE-2014-8090.

New in Metasploit Framework 4.0.0 (Aug 4, 2011)

Statistics:
Metasploit now ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules.
20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release (3.7.2)
Highlights & New Features:
This release marks the first major version change in five years. Please see the blog for more information.
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files.
Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn't perfect nor is it nearly as complete as the Windows version, but many features already work.
Java applet signing is now done directly in ruby, removing the need for a JDK for generating self-signed certificates.
The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
On a related note, Linux installers also ship with a working pcaprub extension. Expect pcap support in Windows to come later: #5117.
New Modules since 3.7.2:
New Exploit Modules:
VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
Black Ice Cover Page ActiveX Control Arbitrary File Download
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview
RealWin SCADA Server DATAC Login Buffer Overflow
Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
Iconics GENESIS32 Integer overflow version 9.21.201.01
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
HP OmniInet.exe Opcode 20 Buffer Overflow
HP OmniInet.exe Opcode 27 Buffer Overflow
Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview
New Post-Exploitation Modules:
Winlogon Lockout Credential Keylogger
Windows Gather Microsoft Outlook Saved Password Extraction
Windows Gather Process Memory Grep
Windows Gather Trillian Password Extractor
Windows PCI Hardware Enumeration
Windows Gather FlashFXP Saved Password Extraction
Windows Gather Local and Domain Controller Account Password Hashes
Windows Gather Nimbuzz Instant Messenger Password Extractor
Windows Gather CoreFTP Saved Password Extraction
Internet Download Manager (IDM) Password Extractor
Windows Gather SmartFTP Saved Password Extraction
Windows Gather Bitcoin wallet.dat
Windows Gather Service Info Enumeration
Windows Gather IPSwitch iMail User Data Enumeration
New Auxiliary Modules:
John the Ripper Password Cracker Fast Mode
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Kaillera 0.86 Server Denial of Service
2Wire Cross-Site Request Forgery Password Reset Vulnerability
SIPDroid Extension Grabber
MSSQL Password Hashdump
Notable Features & Closed Bugs:
Feature #4982 - Support for custom executable with psexec
Feature #4856 - RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 - Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 - Post exploitation module to harvest OpenSSH credentials
Feature #4015 - Increase test coverage for railgun
Bug #4963 - Rework db_* commands for consistency
Bug #4892 - non-windows meterpreters upload into the wrong filename
Bug #4296 - Meterpreter stdapi registry functions create key if one doesn't exist
Bug #3565 - framework installer fails on RHEL (postgres taking too long to start)
Armitage:
Armitage integrates with Metasploit 4.0 to:
Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity

New in Metasploit Framework 3.7.0 (May 5, 2011)

New in Metasploit Framework 3.5.1 (Dec 16, 2010)

Statistics
Metasploit now has 613 exploit modules and 306 auxiliary modules (from 551 and 261 respectively in v3.4)
Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (480K lines of Ruby)
Over 85 tickets were closed since the last point release and over 130 since v3.4.0
General
Sessions now include additional information by default. This is often the username/hostname of the remote session.
Dead sessions are now automatically detected and closed without requiring user interaction.
The msfcli interface is now a thin wrapper around msfconsole; auxiliary modules and passive exploits now work.
All modules now track which local user launched them (via module.owner)
Resolve Windows error codes intro descriptive strings
Automatically choose a preferred "reverse" payload if non was specified
Warn the user if an antivirus program has corrupted the installation (EICAR canary)
A socks4a proxy auxiliary module is available capable of routing through a meterpreter session
Host names will now resolve properly on Windows with Ruby 1.9.1+
Improved performance and accuracy of FTP and telnet brute force scanners
Payloads
Java Meterpreter is now available for some Java exploits such as exploit/multi/browser/java_trusted_chain
A race condition in concurrent incoming session handling has been fixed
The reverse_https stager is more reliable through an additional wfs_delay
The ReverseListenerBindAddress option can be used to override LHOST as the local bind address for reverse connect payloads
The ReverseListenerComm option can be set to "local" to prevent the listener from binding through a Meterpreter pivot
Bug fixes for proper socket cleanup in exploit and auxiliary modules, even after exceptions are thrown
Allow the IPv6 Bind stagers to work over Toredo tunnels
Plugins
Lab plugin added to manage target VM's
Support for managing Nessus scans from the console via Zate Berg's plugin
Meterpreter Scripts
All scripts now run in the context of an anonymous class, with access to shared methods
A script has been added by scriptjunkie for automatically exploiting weak service permissions
Tab completion for the "run" command now looks in ~/.msf3/scripts/meterpreter/
All credential-related tools (credcollect, hashdump, etc) now use the new creds database table
Meterpreter Core
Only a single SSL certificate is generated for all Meterpreter sessions per instance of Metasploit
The AutoSystemInfo option can be disabled if username, hostname, and admin status should not be automatically obtained
RAILGUN has been merged into the STDAPI extension and x64 support has been added
Support slow/laggy connections better through extended timeouts
Automatically closed file, register, process, thread, and event handles through finalizers
Search for files (using the Windows index where available)
Database
A new db_export command has been added that produces db_import compatible XML snapshots of a given workspace
Web sites and web application data is now stored in the web_sites, web_pages, web_forms, and web_vulns tables
Import of both NeXpose Raw XML and NeXpose Simple XML has been improved
Import support has been added for Retina and NetSparker XML
The Nessusv2 XML format now uses an improved SAX-based parser
The connection pool size has been reduced to match PostgreSQL defaults
Cracked credentials now have their own database table (creds) instead of being a subclass of notes
New exploited_hosts table added to streamline bookkeeping of successful session generation
db_import more robust in the face of badly-formatted data
report_note and report_vuln now automatically create associated hosts and services in the database if absent
GUI
A new Java GUI has been created to replace the GTK interface, which relied on unmaintained and buggy libraries
The new GUI uses the XMLRPC interface to control Metasploit
It supports launching modules, viewing running jobs and sessions, and interacting with sessions
It can generate, encode, and save payloads with the features of msfencode
It integrates support for most Meterpreter scripts
It provides support for handling plugins
It supports database connection, and allows viewing the database as well as limited interaction with the database
Deprecated
The msfweb interface is no longer included. This interface was marked as unsupported 12 months ago and no suitable replacements were found.
The GTK interface is no longer included and has been replaced by scriptjunkie's Java GUI that uses the XMLRPC protocol.
The sqlite3 backend is no longer supported and may be removed entirely in an upcoming point release. Use PostgreSQL or MySQL instead.
The VNC stage for the old DLL injection stager (patchup) has been removed due to compatibility issues
Deprecated specific filetypes for db_import_* commands; users should use just "db_import"

New in Metasploit Framework 3.4.1 (Oct 20, 2010)

Statistics:
Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
Over 100 tickets were closed since the last point release and over 200 since v3.3
General:
The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
Command shell sessions can now be automated via scripts using an API similar to Meterpreter
The console can be automated using Ruby code blocks within resource files
Initial sound support is available by loading the "sounds" plugin
The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
Many modules report information to the database by default now (auxiliary/scanner/*)
Lotus Domino version, login bruteforce, and hash collector auxiliary modules
Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
The msfencode utility can now generate WAR payloads for Tomcat and JBoss
Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
The msfencode utility can now inject into an existing executable while keeping the original functionality
The XMLRPC server has been improved and additional APIs are available
The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
There is a new db_status command that shows which driver is currently in use and whether your database connection is active
Bruteforce Support:
Account brute forcing has been standardized across all login modules
Login and version scanning module names have been standardized
The SSH protocol is now supported for brute force and fingerprint scans
The telnet_login and ssh_login modules now create sessions
MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
Tomcat is now supported for brute forcing and session creation
Meterpreter:
The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
The Meterpreter protocol handle now supports ZLIB compression of data blocks
The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
The "hashdump" Meterpreter script provides a safe way to dump hashes for the local user accounts
Automatically route through new subnets with the auto_add_route plugin
Known issues:
To deal with the myriad database synchronization issues, particularly in the sqlite3 driver, the database is write-only for the most part.
When gems containing non-UTF8 characters are installed on the system, starting the framework fails with Encoding::UndefinedConversionError in ruby 1.9.x; this is bug #1914
Interacting with a Meterpreter session while it is in the middle of migrating will cause the migration to fail and kill the session; this is bug #1360
In some cases, backgrounded sessions have no output handle and can potentially lose data that should be printed to the console; this is bug #1982.

New in Metasploit Framework 3.3.3 (Mar 31, 2010)

New in Metasploit Framework 3.3.1 (Dec 6, 2009)

New in Metasploit Framework 3.3 (Nov 17, 2009)

Statistics:
Metasploit now has 443 exploit modules and 216 auxiliary modules (from 320 and 99 respectively in v3.2)
Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (375k lines of Ruby)
Over 170 tickets were closed during the 3.3 development process
General:
Ruby 1.9.1 is now supported and recommended
Windows Vista and Windows 7 are now supported
Major improvements in startup speed thanks to patches from Yoann Guillot
Windows:
The msfconsole is now the primary user interface on Windows (using RXVT)
The Windows installer now uses Ruby 1.9.1 (cygwin)
The Windows installer now ships with Cygwin 1.7
The Windows installer now comes in full and mini editions
The Windows installer can be launched silently with /S /D=C:path
The Windows installation is now portable and can be installed to USB
The Windows installation works on 64-bit Windows if launched in Compatibility Mode
The Windows installer now offers to install Nmap 5.0 for your convenience
Linux:
Standalone Linux installers are now available for 32-bit and 64-bit Linux. These installers contain a complete execution environment, including Ruby 1.9.1, Subversion, and dependent libraries.
The preferred installation location is /opt/metasploit3/msf3, please see the Ubuntu and generic Linux installation guides for more information.
msfconsole:
The startup banner now includes the number of days since the last update and the svn revision
The RbReadline library is used by default, allowing msfconsole to work on systems without libreadline
The -L parameter to msfconsole now allows the system Readline to be used if necessary
A new 'connect' command, similar to netcat, that can use meterpreter routes
Colorized output on terminals that support it. This can be disabled (or forced on) with the 'color' command
msfencode:
Win32 payloads can now be embedded into arbitrary executables using 'msfencode -t exe -x MYFILE.exe -o MYNEWFILE.exe'.
Win64 payloads can now be embedded into arbitrary 64-bit executables using 'msfencode -a x64 -e x64/xor -t exe -o MYNEWFILE.exe'.
The default executable size for generated Win32 binaries now depends on the size of data/templates/template.exe. As of the release, this file is approximately 80k.
Payloads can be generated as VBS scripts using the -t vbs option to msfencode. Persistent (looping) payloads can be generated with -t loop-vbs.
Payloads can be generated as VBA macros for embedding into Office documents. The output is in two parts, the first must be pasted into the Macro editor, the second (hex) must be pasted to the end of the word document.
The x86/alpha_mixed and x86/alpha_upper encoders now accept the AllowWin32SEH option (boolean) to use a SEH GetPC stub and generate 100% alphanumeric output.
msfxmlrpcd:
This is a standalone Metasploit server that accepts authenticated connections over SSL.
The demonstration client, msfxmlrpc, can be used to call the remote API
Database:
Database support is now active as long as rubygems and at least one database driver are installed. The only db_* plugins are no longer necessary and have been deprecated.
The vulnerabilities table now references the host as the parent table and not the service. This allows vulnerability information to be ported that is not tied to an exposed service.
Exploits:
All applicable exploits now have OSVDB references thanks to a major effort by Steve Tornio
New aix/rpc_ttdbserverd_realpath exploit module, which targets latest versions of IBM AIX operating system (5.3.7 to 6.1.4)
Support for the Oracle InstantClient Ruby driver as an exploit mixin
Support for the TDS protocol (MSSQL/Sybase) using a custom native Ruby driver (MSSQL 2000 -> 2008)
Extensive support for exploitation and post-exploitation tasks against Oracle databases
Extensive support for exploitation and post-exploitation tasks against Microsoft SQL Server databases
The browser_autopwn module was completely rewritten using much more robust fingerprinting methods
SOCKS4, SOCKS5, and HTTP proxies work much better now
Payloads:
The Windows stagers now support NX platforms by allocating RWX memory using VirtualAlloc. The stagers have been updated to perform reliable stage transfer without a middle stager requirement.
The reverse_tcp stager now handles connection failures gracefully by calling EXITFUNC when the connection fails. This stager can also try to connect more than once, which is useful for unstable network connections. The default connect try is 5 and can be controlled via the ReverseConnectRetries advanced option. Setting this value to 255 will cause the stager to connect indefinitely.
The reverse_tcp_allports stager has been added, this will cycle through all possible 65,535 ports trying to connect back to the Metasploit console
The ExitThread EXITFUNC now works properly against newer versions of Windows
The CMD payloads now indicate support for specific userland tools on a per-exploit level
The Windows stagers now support Windows 7
New payload modules for Linux on POWER/PowerPC/CBEA
New payload modules for Java Server Pages (JSP)
New payload modules for Windows x64
New payload modules for IBM AIX operating systems (versions 5.3.7 to 6.1.4)
Auxiliary:
Scanner modules now run each thread in its own isolated module instance
Scanner modules now report their progress (configurable via the ShowProgress and ShowProgressPercent advanced options).
A simple fuzzer API is now available as well as 15 example modules covering HTTP, SMB, TDS, DCERPC, WiFi, and SSH.
Ryan Linn's HTTP NTLM capture module has been integrated
Support for the DECT protocol and DECT mixins have been integrated (using the COM-ON-AIR hardware)
Support for the Lorcon2 library including a new Ruby-Lorcon2 extension
Addition of airpwn and dnspwn modules to perform spoofing with raw WiFi injection using Lorcon2
The pcaprub extension has been updated to build and run properly under Ruby 1.9.1
Max Moser's pSnuffle packet sniffing framework has been integrated into Metasploit
Meterpreter:
The Meterpreter now uses Stephen Fewer's Reflective DLL Injection technique by default as opposed to the old method developed by skape and jt.
The Meterpreter now uses OpenSSL to emulate a HTTPS connection once the staging process is complete. After metsrv.dll is initialized, the session is converted into a SSLv3 link using a randomly generated RSA key and certificate. The target side now sends a fake GET request through the SSL link to mimic the traffic patterns of a real HTTPS client.
The Meterpreter AutoRunScript parameter now accepts script arguments and multiple scripts. Each script and its arguments should be separated by commas.
The Meterpreter can now take screen shots using the 'espia' extension and the 'screenshot' command. To use this feature, enter "use espia" and "screenshot somepath.bmp" from the meterpreter prompt.
The Meterpreter can now capture traffic on the target's network. This is handled in-memory using the MicroOLAP Packet SDK. This extension can buffer up to 200,000 packets at a time. To use this feature, enter "use sniffer" and "sniffer_start" from the meterpreter prompt.
The Meterpreter now supports keystroke logging by migrating itself into a process on the target desktop and using the keyscan_start and keyscan_dump commands.
The Meterpreter now supports the "rm" file system command.
The Meterpreter now supports the "background" command for when Ctrl-Z isn't feasible.
The Meterpreter now supports 64-bit Windows.
Alexander Sotirov's METSVC has been added to the Metasploit tree and stub payloads are available to interact with it
Meterpreter POSIX:
The basic framework for Meterpreter on Linux, BSD, and other POSIX platforms was completed by JR
The stdapi extension has been partially ported to the POSIX platform
Meterpreter Scripts:
All scripts now accept a "-h" argument to show usage
Deprecated:
The msfgui interface is not actively maintained and is looking for a new community owner
The msfweb interface is not actively maintained and is looking for a new community owner
The msfopcode command line utility is disabled until the Opcode Database is updated
The msfopcode client API is disabled until the Opcode Database is updated and restored