E-SPIN please to announce for the following latest round of the Immunity CANVAS and SILICA, CANVAS Exploitation Pack update and upgrade for the following related product lines compiled from the various technical resources for easy reading in one go:
D2 Elliot Web Exploitation Framework 1.14, August 7 2018
Changelog:
Exploits – Added:
E-645 – Trend Micro Endpoint Application Control FileDrop Servlet File Upload
E-646 – ManageEngine Applications Manager SQL Injection
E-647 – Node.js 8.5.0 Path Traversal File Disclosure
E-648 – uWSGI Path Traversal File Disclosure
E-649 – ManageEngine Applications MyPage.do Manager SQL Injection
E-650 – Symantec Messaging Gateway 10.6.1 File Disclosure
E-651 – Spring Data Commons RCE
E-652 – Oracle WebLogic Server WLS File Upload
E-653 – Dolibarr adherents/list.php SQL Injection
E-654 – Pivotal Spring Data Commons / Spring Data REST XXE File Disclosure
E-655 – phpMyAdmin 4.8.1 RCE
D2 Exploitation Pack 2.27, August 1, 2018
Changelog:
canvas_modules – Added:
– d2sec_wlswsat: Oracle WebLogic WSAT Remote Code Execution Vulnerability
– d2sec_exchangerp: ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability
– d2sec_pwnrouter:
d2sec_dahua_1: Dahua DVR Credentials Disclosure Vulnerability
d2sec_mikrotik_1: Mikrotik RouterOS Credentials Disclosure Vulnerability
DefPack pack 1.33 27, Jul 2018
SCADA+ pack 1.79 26, Jul 2018
In this CANVAS release we are bringing you 9 new modules and bugfixes.
Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.
==Changes==
o Version Checker fixes
o New release notes and documentation menu entries (help)
==New Modules==
o spectre_file_leak (CVE-2017-5753)
o iis_machinekey
o get_machinekeys
o dump_certstore
o hp_imc_rce (CVE-2017-5816)
o java_rmi_service
o rmi_scanner
o hpe_ilo4_addNewAdmin (CVE-2017-12542)
o seimpersonatepriv_lpe
*CANVAS Tips ‘n’ Tricks*:
iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM callback. This is done by auto-invoking seimpersonatepriv_lpe after spawning the initial MOSDEF instance.
We are able to do this because, by default, an IIS AppPool user will have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned callback can spawn processes with any token it has a handle and appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM relay technique similar to that used in RottenPotato/NG to get an NT AUTHORITY\SYSTEM token. After that, we’re just one CreateProcessWithToken call from getting a new SYSTEM callback!
seimpersonatepriv_lpe can also be used in a myriad of other circumstances. If you load MOSDEF into a Microsoft SQL Server process, it will likely have SeImpersonatePrivilege enabled as well! Got a callback as an NT AUTHORITY\Network Service user? They usually have that privilege, too. You’re just a few clicks away from a SYSTEM shell.
