0
/ Published in Brand, Immunity, Product, SILICA

Immunity CANVAS and SILICA, CANVAS Exploitation Pack Update

E-SPIN please to announce for the following latest round of the Immunity CANVAS and SILICA, CANVAS Exploitation Pack update and upgrade for the following related product lines compiled from the various technical resources for easy reading in one go:

D2 Elliot Web Exploitation Framework 1.14, August 7 2018

  • D2 Elliot has been updated with 11 new web exploits. Payloads and workflows
    have been improved.

Changelog:

Exploits – Added:
E-645 – Trend Micro Endpoint Application Control FileDrop Servlet File Upload
E-646 – ManageEngine Applications Manager SQL Injection
E-647 – Node.js 8.5.0 Path Traversal File Disclosure
E-648 – uWSGI Path Traversal File Disclosure
E-649 – ManageEngine Applications MyPage.do Manager SQL Injection
E-650 – Symantec Messaging Gateway 10.6.1 File Disclosure
E-651 – Spring Data Commons RCE
E-652 – Oracle WebLogic Server WLS File Upload
E-653 – Dolibarr adherents/list.php SQL Injection
E-654 – Pivotal Spring Data Commons / Spring Data REST XXE File Disclosure
E-655 – phpMyAdmin 4.8.1 RCE

D2 Exploitation Pack 2.27, August 1, 2018

  • D2 Exploitation Pack 2.27 has been released with 4 new exploits.
    This month we provide you two remote exploits for Oracle WebLogic and
    ManageEngine Exchange Reporter Plus. We also added two new exploits to
    pwnrouter.

Changelog:

canvas_modules – Added:
– d2sec_wlswsat: Oracle WebLogic WSAT Remote Code Execution Vulnerability
– d2sec_exchangerp: ManageEngine Exchange Reporter Plus Remote Code Execution Vulnerability
– d2sec_pwnrouter:
d2sec_dahua_1: Dahua DVR Credentials Disclosure Vulnerability
d2sec_mikrotik_1: Mikrotik RouterOS Credentials Disclosure Vulnerability

DefPack pack 1.33 27, Jul 2018

1.33 ver. of DefPack contains 7 modules. List:
– TrendNet TEW-751DR, TEW-752DRU, TEW733GR routers – Information Disclosure. public
– HPE Intelligent Management Center Privilege Escalation” [1Day]
– Infrasightlabs vScopeServer Remote Command Execution” [1Day]
– Infrasightlabs vScopeServer RCE 2″ [1Day]
– Kaspersky KSN for Linux 5.2 – Denial of Service. public
– Parallels Remote Application Server (RAS) 15.5 – Path Traversal. CVE-2017-9447
– SEGGER embOS/IP FTP Server 3.22 – Denial of Service. CVE-2018-7449

SCADA+ pack 1.79 26, Jul 2018

1.80 ver. of SCADA+ contains 8 1-day`s. List:
– S3 Scada Remote Runtime Stop [1Day]
– Advantech WebAccess(8.3) Dashboard Viewer arbitrary file upload [1Day]
– Advantech WebAccess(8.3) Dashboard Viewer Directory Traversal and file delete [1Day]
– Advantech WebAccess webvrpcs Arbitrary File Disclosure [1Day]
– IntegraXor Config Corruption [1Day]
– IntegraXor Information Disclosure [1Day]
– MyScada MyPRO Hardcode RCE [1Day]
– Remote Osciloscope DoS [1Day]
Agora pack 2.79 26, Jul 2018
2.79 ver. of Agora contains 5 modules. List:
– Typesetter CMS Arbitrary File Upload RCE [1day]
– App Builder Directory Traversal [1day]
– Coredy CX-E120 Repeater – Remote Command Execution. [public]
– PHP development server crashes on GET/POST request. [public]
– Tiki Wiki 15.1 Unauthenticated File Upload Vulnerability. [public]
CANVAS 7.18 released 24, May 2018

In this CANVAS release we are bringing you 9 new modules and bugfixes.

Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.

==Changes==
o Version Checker fixes
o New release notes and documentation menu entries (help)

==New Modules==
o spectre_file_leak (CVE-2017-5753)
o iis_machinekey
o get_machinekeys
o dump_certstore
o hp_imc_rce (CVE-2017-5816)
o java_rmi_service
o rmi_scanner
o hpe_ilo4_addNewAdmin (CVE-2017-12542)
o seimpersonatepriv_lpe

*CANVAS Tips ‘n’ Tricks*:
iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM callback. This is done by auto-invoking seimpersonatepriv_lpe after spawning the initial MOSDEF instance.

We are able to do this because, by default, an IIS AppPool user will have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned callback can spawn processes with any token it has a handle and appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM relay technique similar to that used in RottenPotato/NG to get an NT AUTHORITY\SYSTEM token. After that, we’re just one CreateProcessWithToken call from getting a new SYSTEM callback!

seimpersonatepriv_lpe can also be used in a myriad of other circumstances. If you load MOSDEF into a Microsoft SQL Server process, it will likely have SeImpersonatePrivilege enabled as well! Got a callback as an NT AUTHORITY\Network Service user? They usually have that privilege, too. You’re just a few clicks away from a SYSTEM shell.

SILICA v7.34 2 Aug, 2018
* Updated SILICA VM:
This release adds support for the new SILICA VM. The new VM is based on
Xubuntu and includes updated system software.* Additional wireless card support:
Now SILICA supports wireless cards based on the MediaTek RT5572 chipset.Notice:
This SILICA version can only be installed on the last version of the VM.VulnDisco Pack Professional 10.59 31, Jul 2018

  • It includes MS Outlook 0day exploit.
Tagged under: , , , , , , , , , , , , ,

What you can read next

CANVAS Product Overview
From DevOps Shift Left Testing to DevSecOps Shift Left Security
Acunetix 360 for Enterprise
FREE Book- E-SPIN Professional Reading on Database Security: Database Activity Monitoring, Database Vulnerability Assessment, Auditing and Scanning
FREE Book- E-SPIN Professional Reading on Database Security: Database Activity Monitoring, Database Vulnerability Assessment, Auditing and Scanning

Leave a Reply

Your email address will not be published. Required fields are marked *