[Canvas] CANVAS 7.18 released

Immunity CANVAS canvas at immunityinc.com
Wed May 23 21:24:06 UTC 2018 

########################################################################
#                       *CANVAS Release 7.18*                          #
########################################################################

*Date*: 23 May 2018

*Version*: 7.18

*Download URL*: https://canvas.immunityinc.com/getcanvas

*Release video*: https://vimeo.com/271127615

*Release Notes*:

In this CANVAS release we are bringing you 9 new modules and bugfixes.

Our new modules include the SPECTRE exploit (able to leak any file from
kernel memory) and a local privilege escalation for Windows
(seimpersonatepriv_lpe).
We are also including 2 web exploits targeting IIS (MachineKey ViewState
Deserialization) and HPE iLO, 2 remote exploits targeting HP IMC and
JAVA RMI Service, 2 companion modules for the iis_machinekey exploit
(command modules, dump_certstore and get_machinekeys) and 1 recon module
for enumerating JAVA RMI exposed objects.


==Changes==

o Version Checker fixes

o New release notes and documentation menu entries (help)

==New Modules==

o spectre_file_leak (CVE-2017-5753)

o iis_machinekey

o get_machinekeys

o dump_certstore

o hp_imc_rce (CVE-2017-5816)

o java_rmi_service

o rmi_scanner

o hpe_ilo4_addNewAdmin (CVE-2017-12542)

o seimpersonatepriv_lpe


*CANVAS Tips 'n' Tricks*:

iis_machinekeys will often get you a new, shiny NT AUTHORITY\SYSTEM
callback. This is done by auto-invoking seimpersonatepriv_lpe after
spawning the initial MOSDEF instance.

We are able to do this because, by default, an IIS AppPool user will
have SeImpersonatePrivilege enabled. That means our IIS AppPool-owned
callback can spawn processes with any token it has a handle and
appropriate access to. Our seimpersonatepriv_lpe module uses an NTLM
relay technique similar to that used in RottenPotato/NG
to get an NT AUTHORITY\SYSTEM token. After that, we're just one
CreateProcessWithToken call from getting a new SYSTEM callback!

seimpersonatepriv_lpe can also be used in a myriad of other
circumstances. If you load MOSDEF into a Microsoft SQL Server process,
it will likely have SeImpersonatePrivilege enabled as well! Got a
callback as an NT AUTHORITY\Network Service user? They usually have
that privilege, too. You're just a few clicks away from a SYSTEM
shell.

########################################################################
########################################################################

More information about the Canvas mailing list