Immunity CANVAS Latest Build and Release, all in single post. This is a very common ask and keep update post, latest on top, and old just behind the latest information. Instead of creating multiple posts on different dates, we combine all in one, easy for reference for the same edition and build history and feature implementations along the release. The post date will keep changing to reflect the latest changes, despite the older portion of content being posted previously, it will keep updating the post date to make it relevant for customers and for those who want to access all the information in one post. Feel free to contact E-SPIN regarding product and related matter (if any).
2022-Aug-11 7.35 released
In this CANVAS release we are bringing you 4 new modules and bugfixes.
Our new modules include three remote code execution exploits targeting
CouchDB,
Confluence, and Zabbix, and one client side module targeting Microsoft
Office.
==Changes==
o f5_bigip_auth_bypass_rce – improved fingerprinting
o wso2_file_upload_rce – improved fingerprinting
==New Modules==
o couchdb_default_cookie (CVE-2022-24706)
o confluence_ognl_injection (CVE-2022-26134)
o office_follina_msdt_exec (CVE-2022-30190)
o zabbix_saml_bypass_rce (CVE-2022-23131)
The information contained in this electronic mail is confidential information intended only for the use of the individual(s) or entity(s) named. If the reader of the message is not the addressee (or authorized to receive for the addressee), you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and/or by telephone and destroy the original message.
2022-May-31 CANVAS 7.34 released
In this CANVAS release we are bringing you 4 new modules and bugfixes.
Our new modules include two remote modules targeting F5 BIG-IP and WSO2, and two
Linux kernel privilege escalation modules.
==Changes==
o Installer fixes for Kali Linux
==New Modules==
o f5_bigip_auth_bypass_rce (CVE-2022-1388)
o wso2_file_upload_rce (CVE-2022-29464)
o linux_esp6_output_head (CVE-2022-27666)
o linux_xt_compat_oob_write (CVE-2021-22555)
2022-Apr-14 CANVAS 7.33 released
In this CANVAS release we are bringing you 3 new modules and bugfixes.
Our new modules include two linux privilege escalation (linux_pipe_buffer,
linux_pkexec_argc) and a remote exploit targeting Redis.
==Changes==
o Update installer to support Blackbox 7
==New Modules==
o linux_pipe_buffer (CVE-2022-0847)
o linux_pkexec_argc (CVE-2021-4034)
o redis_sandbox_escape_rce (CVE-2022-0543)
2022-Jan-26 CNAVAS 7.32 released
In this CANVAS release we are bringing you 5 new modules and bugfixes.
Our new modules include the log4j exploit (CVE-2021-44228), two VMware
vCenter exploits (CVE-2021-22005, CVE-2021-21985), an exploit for Grafana
(CVE-2021-43798) and one for Oracle WebLogic (CVE-2020-14882).
==Changes==
o spkproxy – ability to specify HTTP version in urlopen()
==New Modules==
o grafana_lfi (CVE-2021-43798)
o log4j_rce (CVE-2021-44228)
o vmware_vcenter_health_rce (CVE-2021-21985)
o vcenter_file_upload (CVE-2021-22005)
o weblogic_el_injection (CVE-2020-14882)
2021-Dec-10 CANVAS 7.31 released
In this CANVAS release we are bringing you 5 new modules and bugfixes.
Our new modules include a local privilege escalation targeting Windows 10 (CVE-2021-33739), a remote command execution exploit targeting Microsoft Azure OMI (CVE-2021-38647), a remote code execution in Microsoft Office (CVE-2021-40444), a module exploiting
SeriousSAM (CVE-2021-36934) and one remote command execution exploit targeting Apache 2.4.49/2.4.50 (CVE-2021-41773, CVE-2021-42013).
==Changes==
o Linux installer fixes (Kali)
==New Modules==
o dwm_remove_binding_lpe (CVE-2021-33739)
o office_mshtml_activex (CVE-2021-40444)
o omigod (CVE-2021-38647)
o serious_sam (CVE-2021-36934)
o apache_cgi_rce (CVE-2021-41773, CVE-2021-42013)
2021-Aug-31 CANVAS 7.30 released
In this CANVAS release we are bringing you 4 new modules and bugfixes.
Our new modules include both PrintNightmare implementations (LPE/RCE) and two
Sharepoint remote exploits.
==Changes==
o GetRoot updated with our latest modules
o seimpersonate_lpe fixes
o Linux installer updated for Ubuntu 21.04
o Windows installer fixes
==New Modules==
o print_nightmare_rce (CVE-2021-34527)
o print_nightmare_lpe (CVE-2021-34527)
o sharepoint_typeconverters_rce (CVE-2020-0932)
o sharepoint_workflows_rce (CVE-2020-0646)
2021-May-13 CANVAS 7.29 released
In this CANVAS release we are bringing you 3 new modules and bugfixes.
Our new modules include a client-side exploit targeting IE11 (ie_mshtml_doublefree) and two local privilege escalation exploits targeting Ubuntu (overflayfs_setxattr) and Windows 10 (wndextra_oob_lpe).
==Changes==
o Linux installer fixes
o Fix gtk2 installation on Ubuntu 18.04
o system-wide installation fixes
==New Modules==
o ie_mshtml_doublefree (CVE-2021-26411)
o overlayfs_setxattr (CVE-2021-3493)
o wndextra_oob_lpe (CVE-2021-1732)
2021-Mar-30 CANVAS 7.28
In this CANVAS release we are bringing you 4 new modules and bugfixes.
Our new modules include two local privilege escalation exploits targeting Windows
(vstrwrite01_lpe, service_tracing_lpe), one LPE targeting Ubuntu/Debian distros (sudo_heap_overflow) and a remote code execution exploit
targeting Microsoft Exchange Server (exchange_proxylogon_rce).
We updated our installation procedure information and also fixed our Linux installer in order to support Ubuntu 20.04 and Kali 2021.1.
==Changes==
o Documentation fixes
o Updated installation procedure and supported platforms
o Linux installer fix
o Added support for Ubuntu 20.04 and Kali 2021.1
==New Modules==
o sudo_heap_overflow (CVE-2021-3156)
o vstrwrite01_lpe (CVE-2020-1054)
o service_tracing_lpe (CVE-2020-0668)
o exchange_proxylogon_rce (CVE-2021-26855)
2021-Feb-9 CANVAS 7.27
In this CANVAS release we are bringing you 4 new modules and bugfixes.
Our new modules include zerologon (CVE-2020-1742) and three remote code
execution exploits targeting SaltStack (CVE-2020-11651), Apache Solr
(CVE-2020-13957) and Solaris 10 (CVE-2020-14817).
==Changes==
o Reporter bugfixes
o CommandLineExecuter bugfixes
==New Modules==
o zerologon (CVE-2020-1742)
o saltstack_minion_rce (CVE-2020-11651)
o solr_cloud_rce (CVE-2020-13957)
o solaris_sunssh (CVE-2020-14817)
2020-Sep-2 CANVAS 7.26
In this CANVAS release we are bringing you 5 new modules and bugfixes.
Our new modules include SMBGhost, both LPE and RCE versions. We are also
including an exploit for a deserialization flaw in Microsoft SQL Server
Reporting Services (CVE-2020-0618), a remote code execution exploit
targeting Microsoft Exchange Server (CVE-2020-0688) and a local
privilege escalation exploit targeting Microsoft Windows 7/8.1 and 10.
==Changes==
o SPIKE proxy fix
o handling of 401 with empty body
o Fixed an issue in ms08_034
==New Modules==
o SMBGHOST (CVE-2020-0796)
o smbghost_lpe (CVE-2020-0796)
o ssrs_viewstate_rce (CVE-2020-0618)
o owa_rce (CVE-2020-0688)
o menu_confusion_lpe (CVE-2019-0859)
2019-Feb-20 CANVAS 7.25
In this CANVAS release we are bringing you 7 new modules and bugfixes.
We have updated our installers in order to include a new dependency for
our curveball module (pyopenssl).
Our new modules include a total of four Remote Code Execution modules
targeting:
– Ruby on Rails (2)
– Citrix ADC/Gateway
– rConfig
We also added a module for the curveball vulnerability and two
post-exploitation modules for iDrac (retrieve list of users, remove user).
In addition to our modules we are also pushing a lot of bugfixes and
updates in order to support Windows 64bit on old modules.
==Changes==
o exploitmanager fix
o get_token_info no longer freezes other modules (e.g. GetSystem)
o Commands updated to support 64bit
o dump_certstore
o ps_networkinfo
o ps_invokemimikatz
o ad_adminhunter
o ad_check4PSadmin
o ad_dlexecute_psmosdef
o ad_getcomputers
o ad_getdomainusers
o ad_getlocalusers
o ad_getuserdetails
o GetSystem fixes and improvements
o blacklisted event_viewer_mscfile
o get_token_info is the first module to be called
==New Modules==
o netscaler_traversal_rce (CVE-2019-19781)
o curveball (CVE-2020-0601)
o rails_activestorage_rce (CVE-2019-5420)
o rails_accept_readfile (CVE-2019-5418)
o rconfig_ajaxserver_rce (CVE-2019-16662)
o del_idrac_user
o get_idrac_users
*CANVAS Tips ‘n’ Tricks*:
The rails_activestorage_rce module only affects apps deployed in
production mode and uses rails_accept_readfile to read files needed to
obtain Remote Code Execution.
2019-Dec-10 7.24
In this CANVAS release we are bringing you five new modules and bugfixes.
Our new modules include two Local Privilege Escalation modules targeting
Windows 10, two Remote Code Execution modules targeting Jenkins and
vBulletin and an exploit for Confluence (LFI).
We are also pushing a lot of bugfixes and updates in order to add
support for Windows 64bit to old modules and be compatible with GetSystem.
==Changes==
o linux installer improvements (prompt-toolkit installation)
o prompt-toolkit installation
o Documentation has been updated
o BLUEKEEP payload improvements (stability)
o idrac_appweb_rce improvements and BINDSHELL payload support
o auto_lpe_windows improvements
o Commands updated to support 64bit
o hw_enum
o callbackloop
o cleareventlog
o recordaudio
o drinkcoaster
o getallprocessdata
o keylogmem
o keylog
o checkvm
o GetSystem fixes and improvements
o tpminit_wbemcomn
o unmarshal_to_system
o dde_closehandle_lpe
o setimeinfoex_lpe
o smb2_negotiate_local
o atmfd_pool_buffer_underflow
o event_viewer_mscfile
o alpc_takeover_lpe
o alpc_tasksched_lpe
o ESET_LPC
o ESET_EpFwNDIS
o ms_ntvdm
o ms16_135
o ms16_111
o ms16_032
o ms15_076
o ms14_040
o ms10_059
o ms08_034
o ms08_025
o ms07_066
o ms05_040
==New Modules==
o jenkins_checkscript_rce (CVE-2019-1003029 CVE-2019-1003005
CVE-2018-1000861)
o vbulletin_widget_rce (CVE-2019-16759)
o confluence_macro_lfi (CVE-2019-3396)
o alpc_appxedge_lpe (CVE-2019-1253)
o error_reporting_lpe (CVE-2019-1315)
*CANVAS Tips ‘n’ Tricks*:
If jenkins_checkscript_rce fails when a target is detected as
vulnerable, it’s due to an internal jenkins error. You just have to
re-run the module!
2019-Aug-13 updated again our 7.23 release to include a new version of our
BLUEKEEP exploit which now supports Windows 7 64bit.
2019-Aug-10 CANVAS 7.23 that includes an improved
BLUEKEEP module.
o Highly improved reliability over 32bit Windows 7 SP1
o Not relying on TLSv1.2 anymore (which required targets to have an
optional patch installed)
o Updated linux_installer.sh to take care of the new dependencies for
BLUEKEEP and also updated module’s documentation in order to mention a
few corner cases when installing deps
2019-Jul-23 CANVAS 7.23 released
In this CANVAS release we are bringing you 9 new modules and bugfixes.
Our new modules include an initial implementation of BLUEKEEP targeting
Windows 7 SP1 32bit, one RCE targeting Exim 4.85+, four LPE targeting
Windows and three modules for listing and executing commands on
VirtualBox guests.
We are also pushing a lot of bugfixes and updates for old modules to
support Windows 64bit.
==Changes==
o MOSDEF fix (handling of 64bit integer comparisons)
o AV evasion fix (avoid visible UI when executed)
o VirtualBox Management Library (interact with guests from host via Python)
o Found in libs/virtualization
o Commands updated to support 64bit
o wlanlist
o converttopowershell
o runpowershellscript
o powershellcommand
o wmi_persistence
o kerberos_ticket_list
o info_sessions
o get_dnscache
o diskspider
o deluser
o WiFi_Key_Dumper
o GetAddressBookInfo
o GetBrowserInfo
o domainname
o LogonUser
o arpscan
==New Modules==
o BLUEKEEP (CVE-2019-0708)
o dde_closehandle_lpe (CVE-2019-0803)
o exim_expansion_rce (CVE-2019-10149)
o alpc_takeover_lpe (CVE-2019-0841)
o destroyclass_uaf_lpe (CVE-2019-0623)
o setwindowfnid_lpe (CVE-2018-8453)
o vbox_vm_exec_cmd
o vbox_vm_keystroke_injection
o vbox_list_vms
*CANVAS Tips ‘n’ Tricks*:
vbox_vm_keystroke_injection can give you access to a VirtualBox guest
without requiring credentials! Be sure to check it out, it is based on
our new VirtualBox Management library that allows you to interact with
VBox guests from hosts via Python.
2019-Apr-15 CANVAS 7.22 released
CANVAS 7.22 Windows Spectre Demo (v2) link https://vimeo.com/319506545/700df0f25d
In this CANVAS release we are bringing you 9 new modules and bugfixes.
Our new modules include the SPECTRE exploit for Windows, two privilege escalation modules targeting Windows and Linux (Ubuntu), four remote code execution modules targeting Drupal, ColdFusion, Struts 2 and Exim, and two command modules able to retrieve a domain name (domainname) and credentials (getwindowscredentials) for a given Windows target.
==Changes==
o CommandLineExecuter fixes
o linux installer fixes (add missing components)
o win32 mosdef fixes (cleanup on disconnection)
o AddNullShare improvements
o AddUser 64bit support
o jenkins_xstream_rce fixes
o FileSystem Browser fixes
==New Modules==
o spectre_sam_leak (CVE-2017-5753)
o setimeinfoex_lpe (CVE-2018-8120)
o snapd_uid_overwrite (CVE-2019-7304)
o drupal_services_rce (CVE-2019-6340)
o coldfusion_rce (CVE-2018-15957)
o struts2_default_action_mapper (CVE-2013-2251)
o exim_heap_overflow (CVE-2018-6789)
o getwindowscredentials
o domainname
2019-Jan-24 CANVAS 7.21 released
In this CANVAS release we are bringing you 7 new modules and bugfixes.
Our new modules include an automatic local privilege escalation module
for Linux, one local privilege escalation targeting Windows 10
(alpc_tasksched_lpe), one remote exploit targeting Oracle WebLogic
Server (wls_core_deserialization), one clientside exploit targeting
Adobe Flash 32bit (adobe_flash_metadata_uaf), and 3 modules able to
extract credentials out of registry hive files (SAM, LSA secrets, cached
credentials).
==Changes==
o Callback AV evasion (Windows Only)
o libwinreg
o Library for extracting registry information
o libwincreds
o Library for extracting/manipulating credentials from registry
o getpasswordhashes fixes
o linux dependency installer fixes
o added missing dependencies (xlrd, pillow)
o passthehash fixes on Windows 10
o seimpersonatepriv_lpe fixes
o UI node visualization improvements
o Now provides color indication of privileges
==New Modules==
o auto_lpe_linux
o alpc_tasksched_lpe (CVE-2018-8440)
o wls_core_deserialization (CVE-2015-4852)
o adobe_flash_metadata_uaf (CVE-2018-15982)
o samdump
o lsadump
o cachedump
*CANVAS Tips ‘n’ Tricks*:
In CANVAS 7.21 we are also including the ability to build callbacks that
can avoid AV signatures! You can find the new option in our
BuildCallbackTrojan module dialog (Windows Only).
2018-Oct-31 CANVAS 7.20 released
In this CANVAS release we are bringing you 7 new modules and bugfixes.
Our new modules include an auto privilege escalation module for windows,
two arbitrary kernel read modules targeting Linux, one deserialization
module targeting JBoss <= 4.x, an arbitrary file upload module targeting
Blueimp JQuery-File-Upload, one user enumeration module targeting
OpenSSH <= 7.7 and a generic privilege escalation module targeting
misconfigured sudo.
==Changes==
o spectre_file_leak (Improvements)
o New CANVAS dependency installer available for Linux
o Will install all of our required dependencies including Python 2.7
o Installer available in CANVAS_ROOT/installer/linux_in
o Documentation available in
CANVAS_ROOT/Documentation/Linu
==New Modules==
o auto_lpe_windows
o show_timer_leak (CVE-2017-18344)
o dmesg_leak (CVE-2018-14656)
o jbossmq_httpil_deserialization (CVE-2017-7504)
o jquery_file_upload (CVE-2018-9206)
o ssh_enum (CVE-2018-15473)
o sudo_elevate
*CANVAS Tips ‘n’ Tricks*:
With this release we are also bringing a CANVAS Linux Dependencies
Installer! Be sure to check out the documentation in
CANVAS_ROOT/Documentation/Linu
2018-Aug-14 CANVAS 7.19 released
In this CANVAS release we are bringing you 5 new modules and bugfixes.
Our new modules include two remote exploits, one for ms17_010 and one
targeting Dell EMC iDRAC
(https://www.immunityinc.com/d
two local exploits targeting Linux (linux_waitid_write) and Windows
(unmarshal_to_system), one command module for Windows that is able to
retrieve detailed information about privileges (get_token_info).
We are also releasing our new Windows Dependency Installer that will
take care of installing all required dependencies on Windows. It can be
found at:
https://www.immunityinc.com/do
==Changes==
o New CANVAS dependency installer available for Windows
o Will install all of our required dependencies including Python 2.7
(if selected)
o Documentation available in
CANVAS_ROOT/Documentation/Wind
o converttomosdef fixes for high privileged executables
o ETERNALBLUE Win 7 32bit support
==New Modules==
o ms17_010 (CVE-2017-0143)
o linux_waitid_write (CVE-2017-5123)
o idrac_appweb_rce (CVE-2018-1207)
o unmarshal_to_system (CVE-2018-0824)
o get_token_info
*CANVAS Tips ‘n’ Tricks*:
Be sure to check our new Windows Dependency Installer! With few clicks
you can easily install all required dependencies for CANVAS (including
Python if selected). You can check our new windows install guide if you
have any issue, it also includes steps for installing optional windows
dependencies!
2018-May-23 CANVAS 7.18 released
In this CANVAS release we are bringing you 9 new modules and bugfixes.
Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.
==Changes==
o Version Checker fixes
o New release notes and documentation menu entries (help)
==New Modules==
o spectre_file_leak (CVE-2017-5753)
o iis_machinekey
o get_machinekeys
o dump_certstore
o hp_imc_rce (CVE-2017-5816)
o java_rmi_service
o rmi_scanner
o hpe_ilo4_addNewAdmin (CVE-2017-12542)
o seimpersonatepriv_lpe
*CANVAS Tips ‘n’ Tricks*:
iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM
callback. This is done by auto-invoking seimpersonatepriv_lpe after
spawning the initial MOSDEF instance.
We are able to do this because, by default, an IIS AppPool user will
have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned
callback can spawn processes with any token it has a handle and
appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM
relay technique similar to that used in RottenPotato/NG
to get an NT AUTHORITY\SYSTEM token. After that, we’re just one
CreateProcessWithToken call from getting a new SYSTEM callback!
seimpersonatepriv_lpe can also be used in a myriad of other
circumstances. If you load MOSDEF into a Microsoft SQL Server process,
it will likely have SeImpersonatePrivilege enabled as well! Got a
callback as an NT AUTHORITY\Network Service user? They usually have
that privilege, too. You’re just a few clicks away from a SYSTEM
shell.
2018-Feb-28 CANVAS 7.17 released
In this CANVAS release we are bringing you 7 new modules and bugfixes.
Our new modules include one client-side exploit targeting
CVE-2017-11906/CVE-2017-11907, a remote exploit for ETERNALBLUE
(MS17-010), 3 web modules targeting CouchDB, Oracle Forms and WordPress
UserPRO plugin, 2 remote modules targeting GoAhead and Apache Struts 2.x.
==Changes==
o Windows payloads64 fixes
o ARM ShellServer fixes
o UI fixes (modules categorized incorrectly)
o debian_ssh_key fixes (missing download now available)
o JAVA MOSDEF fixes
==New Modules==
o wpad_jscript (CVE-2017-11906 / CVE-2017-11907)
o ETERNALBLUE (MS17-010)
o couchdb_roles (CVE-2017-12635)
o oracle_forms_rce (CVE-2014-4278)
o wpuserpro_rce (CVE-2017-16562)
o goahead_env_rce (CVE-2017-17562)
o struts2_dmi_rce (CVE-2016-3081)
*CANVAS Tips ‘n’ Tricks*:
Our couchdb_roles module can get you access to more than just one
CouchDB node.
If you compromise one system with couchdb_roles in its default
configuration, pay attention to the system names logged after the line
“set to one of these names to root more systems”. Run the module again
with the “Node name/address” dialog property set to one of the names to
get a shell on that member of the CouchDB cluster!
2017-Dec-1 CANVAS 7.16 released
In this CANVAS release we are bringing you 8 new modules and important
bugfixes.
Our new modules include 2 exploits targeting Microsoft Office
(CVE-2017-8759 and CVE-2017-8570, no CVE for the DDE bug), an exploit
targeting Tomcat, one preauth command injection exploit for Brightmail
and the ntfs3g modprobe exploit. Finally we are including an exploit
targeting Emacs and 2 recon modules (http_method_scanner and webcrawler).
==Changes==
o Bugfixes in several modules
o autohack
o report generation
o File System Browser
o SPIKE proxy is now using tlslite-ng underneath
o DataView Tab has been removed from the UI
==New Modules==
o office_dde
o office_wsdl (CVE-2017-8759, CVE-2017-8570)
o tomcat_file_upload (CVE-2017-12615)
o brightmail_restore (CVE-2017-6327)
o ntfs3g_modprobe (CVE-2017-0358)
o emacs_enriched (CVE-2017-14482)
o http_method_scanner
o webcrawler
*CANVAS Tips ‘n’ Tricks*:
It is possible to edit the templates used in Microsoft Office exploits
that utilize OOXML. In office_dde, edit Resources/ddeauto_template.doc
In office_wsdl, edit Resources/template.csv and template.ppsx. Make sure
to not edit anything related to file links or DDE field codes in those
documents.
office_wsdl must be run as root as the vulnerable WSDL-fetching .NET
code requires it to be fetched from port 80.