E-SPIN please to announce for the following latest round of the Immunity CANVAS and SILICA, CANVAS Exploitation Pack update and upgrade for the following related product lines compiled from the various technical resources for easy reading in one go:
D2 Elliot Web Exploitation Framework 1.14, August 7 2018
- D2 Elliot has been updated with 11 new web exploits. Payloads and workflows
have been improved.
Changelog:
Exploits – Added:
E-645 – Trend Micro Endpoint Application Control FileDrop Servlet File Upload
E-646 – ManageEngine Applications Manager SQL Injection
E-647 – Node.js 8.5.0 Path Traversal File Disclosure
E-648 – uWSGI Path Traversal File Disclosure
E-649 – ManageEngine Applications MyPage.do Manager SQL Injection
E-650 – Symantec Messaging Gateway 10.6.1 File Disclosure
E-651 – Spring Data Commons RCE
E-652 – Oracle WebLogic Server WLS File Upload
E-653 – Dolibarr adherents/list.php SQL Injection
E-654 – Pivotal Spring Data Commons / Spring Data REST XXE File Disclosure
E-655 – phpMyAdmin 4.8.1 RCE
D2 Exploitation Pack 2.27, August 1, 2018
- D2 Exploitation Pack 2.27 has been released with 4 new exploits.
This month we provide you two remote exploits for Oracle WebLogic and
ManageEngine Exchange Reporter Plus. We also added two new exploits to
pwnrouter.
Changelog:
canvas_modules – Added:
– d2sec_wlswsat: Oracle WebLogic WSAT Remote Code Execution Vulnerability
– d2sec_exchangerp: ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability
– d2sec_pwnrouter:
d2sec_dahua_1: Dahua DVR Credentials Disclosure Vulnerability
d2sec_mikrotik_1: Mikrotik RouterOS Credentials Disclosure Vulnerability
DefPack pack 1.33 27, Jul 2018
SCADA+ pack 1.79 26, Jul 2018
In this CANVAS release we are bringing you 9 new modules and bugfixes.
Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.
==Changes==
o Version Checker fixes
o New release notes and documentation menu entries (help)
==New Modules==
o spectre_file_leak (CVE-2017-5753)
o iis_machinekey
o get_machinekeys
o dump_certstore
o hp_imc_rce (CVE-2017-5816)
o java_rmi_service
o rmi_scanner
o hpe_ilo4_addNewAdmin (CVE-2017-12542)
o seimpersonatepriv_lpe
*CANVAS Tips ‘n’ Tricks*:
iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM callback. This is done by auto-invoking seimpersonatepriv_lpe after spawning the initial MOSDEF instance.
We are able to do this because, by default, an IIS AppPool user will have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned callback can spawn processes with any token it has a handle and appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM relay technique similar to that used in RottenPotato/NG to get an NT AUTHORITY\SYSTEM token. After that, we’re just one CreateProcessWithToken call from getting a new SYSTEM callback!
seimpersonatepriv_lpe can also be used in a myriad of other circumstances. If you load MOSDEF into a Microsoft SQL Server process, it will likely have SeImpersonatePrivilege enabled as well! Got a callback as an NT AUTHORITY\Network Service user? They usually have that privilege, too. You’re just a few clicks away from a SYSTEM shell.
This release adds support for the new SILICA VM. The new VM is based on
Xubuntu and includes updated system software.* Additional wireless card support:
Now SILICA supports wireless cards based on the MediaTek RT5572 chipset.Notice:
This SILICA version can only be installed on the last version of the VM.VulnDisco Pack Professional 10.59 31, Jul 2018
- It includes MS Outlook 0day exploit.