Last updated at Mon, 24 Jul 2017 17:03:33 GMT

Metasploit 4.6.1 Released

This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly.

This release also fixes a few minor issues in Metasploit Pro that affected a handful of users -- you can read up on what exactly has changed in the release notes. As usual, it's a little bigger than you might expect from your typical update, given the changes in the installer code, so give it a couple extra minutes to download and do its update thing.

Intern Found!

If you've been watching this space, you'll know that we've been on the prowl for a summer intern. Welp, the search is over -- we've managed to pick up a well-qualified college student who has a strong background in both IT ops and exploit dev. If you have Pull Requests in the metasploit-framework backlog, or aging bugs in the Redmine Issue Tracker, then you should expect to meet him soon as he validates your pulls and bugs and gets your stuff back on track (or mercilessly axed).

Of course, this sort of backlog validation doesn't have to land on in paid intern's lap. If you're looking to beef up your resume, know a thing or two about IT security and Ruby, and are handy with VMware or Vagrant, you are more than welcome to throw in as well. We can always use extra validation inputs to our bugs and PR's. Even if you're not here in the Mazes of Metasploit, fixing bugs and getting your name attached to Metasploit commits is a pretty decent reference all by itself, paid or not.

SVN is Still Mostly Dead

This week we've locked up our SVN server at with a pretty unguessable username and password. This is to discourage people from following the piles of pre-2011 documentation that's out there. The SVN lockdown is described at in more detail, but the moral of the story is, don't even try to guess the password, and don't try to use your e-mail password or GitHub password or anything like that. The whole point of this new behavior is to merely transmit the instructions to move to Git in the WWW-Authenticate header.

New Modules

We've a fairly huge bucket full of exploits and auxiliary modules this week. Sixteen total, mostly around our 2013 theme of home access points and SAP installations. We're also shipping Juan's 1Day exploit for Mutiny appliances this week, as well as an exe dropper for SSH sessions from Spencer McIntyre and Brandon Knight.

Oh, and did you hear about the Linode compromise? Part of the incident centered around recent ColdFusion bugs. Now, I'm sure ColdFusion is a delightful language to work in and if you're CFM artiste, you probably have a ball every day working on your codebase. That said, it's not super popular language here in the 21st Century. This usually means that you're stuck with legacy-flavored security bugs, like the directory traversal vulnerability exercised by Hack The Planet and ported to Metasploit by Wei @_sinn3r Chen.


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.