SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
Need Help? Email [email protected]
  • LOGIN

E-SPIN Group

CONTACT US / GET A QUOTE
  • No products in cart.
  • HOME
  • PROFILE
    • Corporate Profile
    • About us
    • Customer Overview
    • Case Studies
    • Investor Relations
    • Procurement
  • GLOBAL THEMES
    • Artificial Intelligence (AI)
    • Big Data
    • Blockchain
    • Cloud Computing
    • Cognitive Computing
    • Cyber Security
    • DevSecOps
    • Digital Transformation (DT)
    • Modern Workplace
    • Internet of Things (IoT)
    • Quantum Computing
    • More theme and feature topics
  • SOLUTIONS
    • Application Lifecycle Management (ALM), DevSecOps/VSM, Application Security
      • Application Security
      • DevSecOps
      • Digital Forensics
      • Secure Development
    • Cybersecurity, Governance Risk Compliance (GRC) and Resiliency
      • Governance, Risk Management and Compliance (GRC)
      • Malware Analysis and Reverse Engineering
      • Security Information & Event Management (SIEM)
      • Security Configuration Management (SCM)
      • Threat, Risk and Vulnerability Management
      • Penetration Testing and Ethical Hacking
    • Modern Infrastructure, NetOps
      • Network Performance Monitoring and Diagnostics (NPMD)
      • IT Operations Management (ITOM)
      • Network Operation (NetOps)
      • Network Management System (NMS)
    • Modern Workspace & Future of Work
      • Digital Workspace
      • End User Computing (EUC)
      • Securing Hybrid Workforce
      • Unified Endpoint Management (UEM)
      • User Activity Monitoring (UAM)
  • INDUSTRIES
    • Aerospace & Defense
    • Automotive
    • Banking & Financial Markets
    • Chemical & Petroleum
    • Commercial and Professional Services
    • Construction & Real Estate
    • Consumer Products
    • Education
    • Electronics
    • Energy & Utilities
    • Food & Beverage
    • Information Technology
    • Insurance
    • Healthcare
    • Goverment
    • Telecommunications
    • Transportation
    • Travel
    • Manufacturing
    • Media & Entertainment
    • Mining & Natural Resources
    • Life Sciences
    • Retail
  • PRODUCTS
    • Hidden Menu
      • Brand Overview
      • Services Overview
      • E-SPIN Product Line Card
      • E-SPIN Ecosystem World Solution Portfolio Overview
      • GitLab (DevOps, DevSecOps, VSM)
      • Hex-Rays (IDA Pro, Hex-Rays Decompiler)
      • Immunity (Canvas, Silica, Innuendo)
      • Parasoft (automated software testing, AppSec)
      • Tenable (Enterprise Vulnerability Management)
      • Veracode (Application Security Testing)
    • Cybersecurity, App Lifecycle, AppSec Management
      • Cerbero Labs (Cerbero Suite)
      • Core Security (Core Impact, Cobalt Strike)
      • HCL (AppScan, BigFix)
      • Invicti (Acunetix, Netsparker)
      • ImmuniWeb
      • UBsecure (Vex)
      • Portswigger (Burp Suite Pro, Burp Suite Enterprise)
      • Titania (Nipper Studio)
      • TSFactory (User Activity Monitoring)
    • Infrastructure, Network, Wireless, Cloud Management
      • Metageek (Wi-Spy, Chanalyzer, Eye P.A.)
      • Progress (WhatsUp Gold, WS_FTP, MOVEit MFT)
      • Paessler
      • Solarwinds (IT Management)
      • TamoSoft (wireless site survey)
      • Visiwave (wireless site survey, traffic analysis)
      • VMware (Virtualization, cloud mgt, Digital Workspace)
    • Platform products
      • Adobe (Digital Media Creation)
      • Micro Focus
      • Microsoft
      • Red Hat (Enterprise Linux, OpenStack, OpenShift, Ansible,JBoss)
      • SecHard
      • SUSE (Enterprise Linux, Rancher)
      • Show All The Brands and Products (Full)
  • e-STORE
    • e-STORE
    • eSTORE Guide
    • SUPPORT
  • CAREERS
    • Culture, Values and CSR
    • How We Hire
    • Job Openings
  • BLOG / NEWS
    • Blogs and News
    • Resources Library
    • Calendar of Events
  • CONTACT
  • Home
  • Brand
  • Immunity CANVAS Latest Build and Release
The Silent Killer: Downtime
0
E-SPIN
Thursday, 11 August 2022 / Published in Brand, Immunity, Product

Immunity CANVAS Latest Build and Release

Immunity CANVAS Latest Build and Release, all in single post. This is a very common ask and keep update post, latest on top, and old just behind the latest information. Instead of creating multiple posts on different dates, we combine all in one, easy for reference for the same edition and build history and feature implementations along the release. The post date will keep changing to reflect the latest changes, despite the older portion of content being posted previously, it will keep updating the post date to make it relevant for customers and for those who want to access all the information in one post. Feel free to contact E-SPIN regarding product and related matter (if any).


2022-Aug-11 7.35 released

In this CANVAS release we are bringing you 4 new modules and bugfixes.

Our new modules include three remote code execution exploits targeting
CouchDB,
Confluence, and Zabbix, and one client side module targeting Microsoft
Office.

==Changes==

o f5_bigip_auth_bypass_rce – improved fingerprinting

o wso2_file_upload_rce – improved fingerprinting

==New Modules==

o couchdb_default_cookie (CVE-2022-24706)

o confluence_ognl_injection (CVE-2022-26134)

o office_follina_msdt_exec (CVE-2022-30190)

o zabbix_saml_bypass_rce (CVE-2022-23131)
The information contained in this electronic mail is confidential information intended only for the use of the individual(s) or entity(s) named. If the reader of the message is not the addressee (or authorized to receive for the addressee), you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and/or by telephone and destroy the original message.


2022-May-31 CANVAS 7.34 released

In this CANVAS release we are bringing you 4 new modules and bugfixes.

Our new modules include two remote modules targeting F5 BIG-IP and WSO2, and two
Linux kernel privilege escalation modules.

==Changes==

o Installer fixes for Kali Linux

==New Modules==

o f5_bigip_auth_bypass_rce (CVE-2022-1388)

o wso2_file_upload_rce (CVE-2022-29464)

o linux_esp6_output_head (CVE-2022-27666)

o linux_xt_compat_oob_write (CVE-2021-22555)


2022-Apr-14 CANVAS 7.33 released

In this CANVAS release we are bringing you 3 new modules and bugfixes.

Our new modules include two linux privilege escalation (linux_pipe_buffer,
linux_pkexec_argc) and a remote exploit targeting Redis.

==Changes==

o Update installer to support Blackbox 7

==New Modules==

o linux_pipe_buffer (CVE-2022-0847)

o linux_pkexec_argc (CVE-2021-4034)

o redis_sandbox_escape_rce (CVE-2022-0543)


2022-Jan-26 CNAVAS 7.32 released

In this CANVAS release we are bringing you 5 new modules and bugfixes.

Our new modules include the log4j exploit (CVE-2021-44228), two VMware
vCenter exploits (CVE-2021-22005, CVE-2021-21985), an exploit for Grafana
(CVE-2021-43798) and one for Oracle WebLogic (CVE-2020-14882).

==Changes==

o spkproxy – ability to specify HTTP version in urlopen()

==New Modules==

o grafana_lfi (CVE-2021-43798)

o log4j_rce (CVE-2021-44228)

o vmware_vcenter_health_rce (CVE-2021-21985)

o vcenter_file_upload (CVE-2021-22005)

o weblogic_el_injection (CVE-2020-14882)


2021-Dec-10 CANVAS 7.31 released

In this CANVAS release we are bringing you 5 new modules and bugfixes.

Our new modules include a local privilege escalation targeting Windows 10 (CVE-2021-33739), a remote command execution exploit targeting Microsoft Azure OMI (CVE-2021-38647), a remote code execution in Microsoft Office (CVE-2021-40444), a module exploiting
SeriousSAM (CVE-2021-36934) and one remote command execution exploit targeting Apache 2.4.49/2.4.50 (CVE-2021-41773, CVE-2021-42013).

==Changes==

o Linux installer fixes (Kali)

==New Modules==

o dwm_remove_binding_lpe (CVE-2021-33739)

o office_mshtml_activex (CVE-2021-40444)

o omigod (CVE-2021-38647)

o serious_sam (CVE-2021-36934)

o apache_cgi_rce (CVE-2021-41773, CVE-2021-42013)


2021-Aug-31 CANVAS 7.30 released

In this CANVAS release we are bringing you 4 new modules and bugfixes.

Our new modules include both PrintNightmare implementations (LPE/RCE) and two
Sharepoint remote exploits.

==Changes==

o GetRoot updated with our latest modules

o seimpersonate_lpe fixes

o Linux installer updated for Ubuntu 21.04

o Windows installer fixes

==New Modules==

o print_nightmare_rce (CVE-2021-34527)

o print_nightmare_lpe (CVE-2021-34527)

o sharepoint_typeconverters_rce (CVE-2020-0932)

o sharepoint_workflows_rce (CVE-2020-0646)


2021-May-13 CANVAS 7.29 released

In this CANVAS release we are bringing you 3 new modules and bugfixes.

Our new modules include a client-side exploit targeting IE11 (ie_mshtml_doublefree) and two local privilege escalation exploits targeting Ubuntu (overflayfs_setxattr) and Windows 10 (wndextra_oob_lpe).

==Changes==

o Linux installer fixes
o Fix gtk2 installation on Ubuntu 18.04
o system-wide installation fixes

==New Modules==

o ie_mshtml_doublefree (CVE-2021-26411)

o overlayfs_setxattr (CVE-2021-3493)

o wndextra_oob_lpe (CVE-2021-1732)


2021-Mar-30 CANVAS 7.28

In this CANVAS release we are bringing you 4 new modules and bugfixes.

Our new modules include two local privilege escalation exploits targeting Windows
(vstrwrite01_lpe, service_tracing_lpe), one LPE targeting Ubuntu/Debian distros (sudo_heap_overflow) and a remote code execution exploit
targeting Microsoft Exchange Server (exchange_proxylogon_rce).

We updated our installation procedure information and also fixed our Linux installer in order to support Ubuntu 20.04 and Kali 2021.1.

==Changes==

o Documentation fixes
o Updated installation procedure and supported platforms

o Linux installer fix
o Added support for Ubuntu 20.04 and Kali 2021.1

==New Modules==

o sudo_heap_overflow (CVE-2021-3156)

o vstrwrite01_lpe (CVE-2020-1054)

o service_tracing_lpe (CVE-2020-0668)

o exchange_proxylogon_rce (CVE-2021-26855)


2021-Feb-9 CANVAS 7.27

In this CANVAS release we are bringing you 4 new modules and bugfixes.

Our new modules include zerologon (CVE-2020-1742) and three remote code
execution exploits targeting SaltStack (CVE-2020-11651), Apache Solr
(CVE-2020-13957) and Solaris 10 (CVE-2020-14817).

==Changes==
o Reporter bugfixes
o CommandLineExecuter bugfixes

==New Modules==
o zerologon (CVE-2020-1742)
o saltstack_minion_rce (CVE-2020-11651)
o solr_cloud_rce (CVE-2020-13957)
o solaris_sunssh (CVE-2020-14817)


2020-Sep-2 CANVAS 7.26

In this CANVAS release we are bringing you 5 new modules and bugfixes.

Our new modules include SMBGhost, both LPE and RCE versions. We are also
including an exploit for a deserialization flaw in Microsoft SQL Server
Reporting Services (CVE-2020-0618), a remote code execution exploit
targeting Microsoft Exchange Server (CVE-2020-0688) and a local
privilege escalation exploit targeting Microsoft Windows 7/8.1 and 10.

==Changes==

o SPIKE proxy fix
o handling of 401 with empty body

o Fixed an issue in ms08_034

==New Modules==

o SMBGHOST (CVE-2020-0796)

o smbghost_lpe (CVE-2020-0796)

o ssrs_viewstate_rce (CVE-2020-0618)

o owa_rce (CVE-2020-0688)

o menu_confusion_lpe (CVE-2019-0859)


2019-Feb-20 CANVAS 7.25

In this CANVAS release we are bringing you 7 new modules and bugfixes.
We have updated our installers in order to include a new dependency for
our curveball module (pyopenssl).

Our new modules include a total of four Remote Code Execution modules
targeting:
– Ruby on Rails (2)
– Citrix ADC/Gateway
– rConfig

We also added a module for the curveball vulnerability and two
post-exploitation modules for iDrac (retrieve list of users, remove user).

In addition to our modules we are also pushing a lot of bugfixes and
updates in order to support Windows 64bit on old modules.

==Changes==

o exploitmanager fix

o get_token_info no longer freezes other modules (e.g. GetSystem)

o Commands updated to support 64bit
o dump_certstore
o ps_networkinfo
o ps_invokemimikatz
o ad_adminhunter
o ad_check4PSadmin
o ad_dlexecute_psmosdef
o ad_getcomputers
o ad_getdomainusers
o ad_getlocalusers
o ad_getuserdetails

o GetSystem fixes and improvements
o blacklisted event_viewer_mscfile
o get_token_info is the first module to be called

==New Modules==

o netscaler_traversal_rce (CVE-2019-19781)

o curveball (CVE-2020-0601)

o rails_activestorage_rce (CVE-2019-5420)

o rails_accept_readfile (CVE-2019-5418)

o rconfig_ajaxserver_rce (CVE-2019-16662)

o del_idrac_user

o get_idrac_users

*CANVAS Tips ‘n’ Tricks*:

The rails_activestorage_rce module only affects apps deployed in
production mode and uses rails_accept_readfile to read files needed to
obtain Remote Code Execution.


2019-Dec-10 7.24

In this CANVAS release we are bringing you five new modules and bugfixes.

Our new modules include two Local Privilege Escalation modules targeting
Windows 10, two Remote Code Execution modules targeting Jenkins and
vBulletin and an exploit for Confluence (LFI).

We are also pushing a lot of bugfixes and updates in order to add
support for Windows 64bit to old modules and be compatible with GetSystem.

==Changes==

o linux installer improvements (prompt-toolkit installation)
o prompt-toolkit installation
o Documentation has been updated

o BLUEKEEP payload improvements (stability)

o idrac_appweb_rce improvements and BINDSHELL payload support

o auto_lpe_windows improvements

o Commands updated to support 64bit
o hw_enum
o callbackloop
o cleareventlog
o recordaudio
o drinkcoaster
o getallprocessdata
o keylogmem
o keylog
o checkvm

o GetSystem fixes and improvements
o tpminit_wbemcomn
o unmarshal_to_system
o dde_closehandle_lpe
o setimeinfoex_lpe
o smb2_negotiate_local
o atmfd_pool_buffer_underflow
o event_viewer_mscfile
o alpc_takeover_lpe
o alpc_tasksched_lpe
o ESET_LPC
o ESET_EpFwNDIS
o ms_ntvdm
o ms16_135
o ms16_111
o ms16_032
o ms15_076
o ms14_040
o ms10_059
o ms08_034
o ms08_025
o ms07_066
o ms05_040

==New Modules==

o jenkins_checkscript_rce (CVE-2019-1003029 CVE-2019-1003005
CVE-2018-1000861)

o vbulletin_widget_rce (CVE-2019-16759)

o confluence_macro_lfi (CVE-2019-3396)

o alpc_appxedge_lpe (CVE-2019-1253)

o error_reporting_lpe (CVE-2019-1315)

*CANVAS Tips ‘n’ Tricks*:

If jenkins_checkscript_rce fails when a target is detected as
vulnerable, it’s due to an internal jenkins error. You just have to
re-run the module!


2019-Aug-13 updated again our 7.23 release to include a new version of our
BLUEKEEP exploit which now supports Windows 7 64bit.


2019-Aug-10 CANVAS 7.23 that includes an improved
BLUEKEEP module.

o Highly improved reliability over 32bit Windows 7 SP1
o Not relying on TLSv1.2 anymore (which required targets to have an
optional patch installed)
o Updated linux_installer.sh to take care of the new dependencies for
BLUEKEEP and also updated module’s documentation in order to mention a
few corner cases when installing deps


2019-Jul-23 CANVAS 7.23 released

In this CANVAS release we are bringing you 9 new modules and bugfixes.

Our new modules include an initial implementation of BLUEKEEP targeting
Windows 7 SP1 32bit, one RCE targeting Exim 4.85+, four LPE targeting
Windows and three modules for listing and executing commands on
VirtualBox guests.

We are also pushing a lot of bugfixes and updates for old modules to
support Windows 64bit.

==Changes==

o MOSDEF fix (handling of 64bit integer comparisons)

o AV evasion fix (avoid visible UI when executed)

o VirtualBox Management Library (interact with guests from host via Python)
o Found in libs/virtualization

o Commands updated to support 64bit
o wlanlist
o converttopowershell
o runpowershellscript
o powershellcommand
o wmi_persistence
o kerberos_ticket_list
o info_sessions
o get_dnscache
o diskspider
o deluser
o WiFi_Key_Dumper
o GetAddressBookInfo
o GetBrowserInfo
o domainname
o LogonUser
o arpscan

==New Modules==

o BLUEKEEP (CVE-2019-0708)

o dde_closehandle_lpe (CVE-2019-0803)

o exim_expansion_rce (CVE-2019-10149)

o alpc_takeover_lpe (CVE-2019-0841)

o destroyclass_uaf_lpe (CVE-2019-0623)

o setwindowfnid_lpe (CVE-2018-8453)

o vbox_vm_exec_cmd

o vbox_vm_keystroke_injection

o vbox_list_vms

*CANVAS Tips ‘n’ Tricks*:

vbox_vm_keystroke_injection can give you access to a VirtualBox guest
without requiring credentials! Be sure to check it out, it is based on
our new VirtualBox Management library that allows you to interact with
VBox guests from hosts via Python.


2019-Apr-15 CANVAS 7.22 released

CANVAS 7.22 Windows Spectre Demo (v2) link https://vimeo.com/319506545/700df0f25d

In this CANVAS release we are bringing you 9 new modules and bugfixes.

Our new modules include the SPECTRE exploit for Windows, two privilege escalation modules targeting Windows and Linux (Ubuntu), four remote code execution modules targeting Drupal, ColdFusion, Struts 2 and Exim, and two command modules able to retrieve a domain name (domainname) and credentials (getwindowscredentials) for a given Windows target.

==Changes==

o CommandLineExecuter fixes

o linux installer fixes (add missing components)

o win32 mosdef fixes (cleanup on disconnection)

o AddNullShare improvements

o AddUser 64bit support

o jenkins_xstream_rce fixes

o FileSystem Browser fixes

==New Modules==

o spectre_sam_leak (CVE-2017-5753)

o setimeinfoex_lpe (CVE-2018-8120)

o snapd_uid_overwrite (CVE-2019-7304)

o drupal_services_rce (CVE-2019-6340)

o coldfusion_rce (CVE-2018-15957)

o struts2_default_action_mapper (CVE-2013-2251)

o exim_heap_overflow (CVE-2018-6789)

o getwindowscredentials

o domainname


2019-Jan-24 CANVAS 7.21 released

In this CANVAS release we are bringing you 7 new modules and bugfixes.

Our new modules include an automatic local privilege escalation module
for Linux, one local privilege escalation targeting Windows 10
(alpc_tasksched_lpe), one remote exploit targeting Oracle WebLogic
Server (wls_core_deserialization), one clientside exploit targeting
Adobe Flash 32bit (adobe_flash_metadata_uaf), and 3 modules able to
extract credentials out of registry hive files (SAM, LSA secrets, cached
credentials).

==Changes==

o Callback AV evasion (Windows Only)

o libwinreg
o Library for extracting registry information

o libwincreds
o Library for extracting/manipulating credentials from registry

o getpasswordhashes fixes

o linux dependency installer fixes
o added missing dependencies (xlrd, pillow)

o passthehash fixes on Windows 10

o seimpersonatepriv_lpe fixes

o UI node visualization improvements
o Now provides color indication of privileges

==New Modules==

o auto_lpe_linux

o alpc_tasksched_lpe (CVE-2018-8440)

o wls_core_deserialization (CVE-2015-4852)

o adobe_flash_metadata_uaf (CVE-2018-15982)

o samdump

o lsadump

o cachedump

*CANVAS Tips ‘n’ Tricks*:

In CANVAS 7.21 we are also including the ability to build callbacks that
can avoid AV signatures! You can find the new option in our
BuildCallbackTrojan module dialog (Windows Only).


2018-Oct-31 CANVAS 7.20 released

In this CANVAS release we are bringing you 7 new modules and bugfixes.

Our new modules include an auto privilege escalation module for windows,
two arbitrary kernel read modules targeting Linux, one deserialization
module targeting JBoss <= 4.x, an arbitrary file upload module targeting
Blueimp JQuery-File-Upload, one user enumeration module targeting
OpenSSH <= 7.7 and a generic privilege escalation module targeting
misconfigured sudo.

==Changes==

o spectre_file_leak (Improvements)

o New CANVAS dependency installer available for Linux
o Will install all of our required dependencies including Python 2.7
o Installer available in CANVAS_ROOT/installer/linux_installer.sh
o Documentation available in
CANVAS_ROOT/Documentation/Linux_Install_Guide.txt

==New Modules==

o auto_lpe_windows

o show_timer_leak (CVE-2017-18344)

o dmesg_leak (CVE-2018-14656)

o jbossmq_httpil_deserialization (CVE-2017-7504)

o jquery_file_upload (CVE-2018-9206)

o ssh_enum (CVE-2018-15473)

o sudo_elevate

*CANVAS Tips ‘n’ Tricks*:

With this release we are also bringing a CANVAS Linux Dependencies
Installer! Be sure to check out the documentation in
CANVAS_ROOT/Documentation/Linux_Install_Guide.txt for more information!


2018-Aug-14 CANVAS 7.19 released

In this CANVAS release we are bringing you 5 new modules and bugfixes.

Our new modules include two remote exploits, one for ms17_010 and one
targeting Dell EMC iDRAC
(https://www.immunityinc.com/downloads/The-Unbearable-Lightness-of-BMC-wp.pdf),
two local exploits targeting Linux (linux_waitid_write) and Windows
(unmarshal_to_system), one command module for Windows that is able to
retrieve detailed information about privileges (get_token_info).

We are also releasing our new Windows Dependency Installer that will
take care of installing all required dependencies on Windows. It can be
found at:
https://www.immunityinc.com/downloads/CANVAS_Dependency_Installer.exe

==Changes==

o New CANVAS dependency installer available for Windows
o Will install all of our required dependencies including Python 2.7
(if selected)
o Documentation available in
CANVAS_ROOT/Documentation/Windows_Install_Guide.txt

o converttomosdef fixes for high privileged executables

o ETERNALBLUE Win 7 32bit support

==New Modules==

o ms17_010 (CVE-2017-0143)

o linux_waitid_write (CVE-2017-5123)

o idrac_appweb_rce (CVE-2018-1207)

o unmarshal_to_system (CVE-2018-0824)

o get_token_info

*CANVAS Tips ‘n’ Tricks*:

Be sure to check our new Windows Dependency Installer! With few clicks
you can easily install all required dependencies for CANVAS (including
Python if selected). You can check our new windows install guide if you
have any issue, it also includes steps for installing optional windows
dependencies!


2018-May-23 CANVAS 7.18 released

In this CANVAS release we are bringing you 9 new modules and bugfixes.

Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.

==Changes==

o Version Checker fixes

o New release notes and documentation menu entries (help)

==New Modules==

o spectre_file_leak (CVE-2017-5753)

o iis_machinekey

o get_machinekeys

o dump_certstore

o hp_imc_rce (CVE-2017-5816)

o java_rmi_service

o rmi_scanner

o hpe_ilo4_addNewAdmin (CVE-2017-12542)

o seimpersonatepriv_lpe

*CANVAS Tips ‘n’ Tricks*:

iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM
callback. This is done by auto-invoking seimpersonatepriv_lpe after
spawning the initial MOSDEF instance.

We are able to do this because, by default, an IIS AppPool user will
have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned
callback can spawn processes with any token it has a handle and
appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM
relay technique similar to that used in RottenPotato/NG
to get an NT AUTHORITY\SYSTEM token. After that, we’re just one
CreateProcessWithToken call from getting a new SYSTEM callback!

seimpersonatepriv_lpe can also be used in a myriad of other
circumstances. If you load MOSDEF into a Microsoft SQL Server process,
it will likely have SeImpersonatePrivilege enabled as well! Got a
callback as an NT AUTHORITY\Network Service user? They usually have
that privilege, too. You’re just a few clicks away from a SYSTEM
shell.


2018-Feb-28 CANVAS 7.17 released

In this CANVAS release we are bringing you 7 new modules and bugfixes.

Our new modules include one client-side exploit targeting
CVE-2017-11906/CVE-2017-11907, a remote exploit for ETERNALBLUE
(MS17-010), 3 web modules targeting CouchDB, Oracle Forms and WordPress
UserPRO plugin, 2 remote modules targeting GoAhead and Apache Struts 2.x.

==Changes==

o Windows payloads64 fixes

o ARM ShellServer fixes

o UI fixes (modules categorized incorrectly)

o debian_ssh_key fixes (missing download now available)

o JAVA MOSDEF fixes

==New Modules==

o wpad_jscript (CVE-2017-11906 / CVE-2017-11907)

o ETERNALBLUE (MS17-010)

o couchdb_roles (CVE-2017-12635)

o oracle_forms_rce (CVE-2014-4278)

o wpuserpro_rce (CVE-2017-16562)

o goahead_env_rce (CVE-2017-17562)

o struts2_dmi_rce (CVE-2016-3081)

*CANVAS Tips ‘n’ Tricks*:

Our couchdb_roles module can get you access to more than just one
CouchDB node.
If you compromise one system with couchdb_roles in its default
configuration, pay attention to the system names logged after the line
“set to one of these names to root more systems”. Run the module again
with the “Node name/address” dialog property set to one of the names to
get a shell on that member of the CouchDB cluster!


2017-Dec-1 CANVAS 7.16 released

In this CANVAS release we are bringing you 8 new modules and important
bugfixes.

Our new modules include 2 exploits targeting Microsoft Office
(CVE-2017-8759 and CVE-2017-8570, no CVE for the DDE bug), an exploit
targeting Tomcat, one preauth command injection exploit for Brightmail
and the ntfs3g modprobe exploit. Finally we are including an exploit
targeting Emacs and 2 recon modules (http_method_scanner and webcrawler).

==Changes==

o Bugfixes in several modules
o autohack
o report generation
o File System Browser

o SPIKE proxy is now using tlslite-ng underneath

o DataView Tab has been removed from the UI

==New Modules==

o office_dde

o office_wsdl (CVE-2017-8759, CVE-2017-8570)

o tomcat_file_upload (CVE-2017-12615)

o brightmail_restore (CVE-2017-6327)

o ntfs3g_modprobe (CVE-2017-0358)

o emacs_enriched (CVE-2017-14482)

o http_method_scanner

o webcrawler

*CANVAS Tips ‘n’ Tricks*:

It is possible to edit the templates used in  Microsoft Office exploits
that utilize OOXML. In office_dde, edit Resources/ddeauto_template.docx.
In office_wsdl, edit Resources/template.csv and template.ppsx. Make sure
to not edit anything related to file links or DDE field codes in those
documents.

office_wsdl must be run as root as the vulnerable WSDL-fetching .NET
code requires it to be fetched from port 80.

Tagged under: CANVAS, Exploitation Testing, Immunity CANVAS, Penetration Testing (Pentesting)

What you can read next

Red Hat JBoss Enterprise Application Platform (JBoss EAP) : Overview and release
E-SPIN WS_FTP Solution Product Overview
E-SPIN WS_FTP Solution Product Overview
E-SPIN UUM Event Exploitation Testing with CANVAS

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Tapping on Digital Transformation (DT) for continue relevant in the new market

    Navigating the Modern Business Landscape: The Importance of Ecosystems, Product Lifecycles, and Human Capital in the Age of AI

    Since 1990 and the introduction of the Internet...
  • Embracing Change: The Future of Business in an Era of Coverage and Consolidation

    In today’s business world, the trend towa...
  • The Accelerated Era of AI and Robotics: Adapting to the Digital Revolution

    The IT and technology sector has experienced a ...
  • The Future of Work: Embracing the Potential of Generative AI and Robotics

    The potential for generative AI to revolutioniz...
  • DevOps Platform – GitLab 15 Releases and Updates

    GitLab is evolving, where constant research are...

Recent Comments

  • JEAN ARIANE H. EVANGELISTA on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022
  • Ira Camille Arellano on E-SPIN Wishes all Filipino Araw ng Kagitingan 2022
  • NKIRU OKEKE on Top 5 Challenges in the Consumer Products Industry
  • Md Abul Quashem on Types of Online Banking or E-Banking
  • Atalay marie on What is Cybersecurity Mesh ?

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • February 2012
  • July 2011
  • June 2011

Categories

  • Acunetix
  • Adobe
  • Aerospace and Defence
  • AppSec Labs
  • Automotive
  • Banking and Financial Markets
  • Brand
  • Case Studies
  • Cerbero Labs
  • Chemical and petroleum
  • Codified Security
  • Commercial and Professional Services
  • Construction and Real Estate
  • Consumer products
  • Contact Us
  • Core Impact
  • Core Security
  • DBeaver
  • DefenseCode
  • DSquare Security
  • DSquare Security
  • E-Lock
  • Education
  • Electronics
  • Energy and utilities
  • Excelledia
  • FAQ
  • Food and Beverage (F&B)
  • GFI
  • GitLab
  • Global Themes and Feature Topics
  • Government
  • HCL
  • Healthcare
  • Hex-Rays
  • IBM
  • Immunity
  • ImmuniWeb
  • Industries
  • Information Technology
  • Insurance
  • Invicti
  • Ipswitch
  • Isorobot
  • JetBrains
  • Job
  • Life Science
  • LiveAction
  • Magnet forensics
  • Manufacturing
  • McAfee
  • Media and Entertainment
  • Metageek
  • Micro Focus
  • Microsoft
  • Mining and Natural Resources
  • Nessus
  • Netsparker
  • News
  • Nutanix
  • Paessler
  • Parasoft
  • PortSwigger
  • Pradeo
  • Product
  • Progress
  • Rapid7
  • RedHat
  • Retail
  • Retina
  • Riverbed
  • RSA
  • SecHard
  • Security Innovation
  • Security Roots
  • Services
  • SILICA
  • Soft Activity
  • SolarWinds
  • Solution
  • SUSE
  • Symantec
  • TamoSoft
  • Telecommunications
  • Tenable
  • Titania
  • Transportation
  • Travel
  • Trend Micro
  • Trustwave
  • TSFactory
  • UBsecure
  • Uncategorized
  • Vandyke
  • Veracode
  • Videos
  • VisiWave
  • VMware
  • Webinar Archive

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

CORPORATE

  • Profile
  • About us
  • Investor Relations
  • Procurement

SOLUTIONS & PRODUCTS

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

STORE & SUPPORT

  • Shop
  • Cart
  • Checkout
  • My Account
  • Support

PRODUCTS & SERVICES

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services
  • Case Studies

FOLLOW US

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • YouTube
  • WordPress Blog
© 2005 - 2022 E-SPIN Group of Companies | All rights reserved.
E-SPIN refers to the global organisation, and may refer to one or more of the member firms of E-SPIN Group of Companies, each of which is a separate legal entity.
  • Contact
  • Privacy
  • Terms of use
TOP