-
Notifications
You must be signed in to change notification settings - Fork 8
/
Changelog.txt
2756 lines (2038 loc) · 84.1 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
7.26 September, 2020
New modules:
o SMBGHOST
o smbghost_lpe
o ssrs_viewstate_rce
o owa_rce
o menu_confusion_lpe
Updates:
o SPIKE proxy fix
o handling of 401 with empty body
o Fixed an issue in ms08_034
7.25 February, 2020
New modules:
o netscaler_traversal_rce
o curveball
o rails_activestorage_rce
o rails_accept_readfile
o rconfig_ajaxserver_rce
o del_idrac_user
o get_idrac_users
Updates:
o Fixed bug in exploitmanager
o get_token_info no longer freezes other modules
o Commands updated to support 64bit
o dump_certstore
o ps_networkinfo
o ps_invokemimikatz
o ad_adminhunter
o ad_check4PSadmin
o ad_dlexecute_psmosdef
o ad_getcomputers
o ad_getdomainusers
o ad_getlocalusers
o ad_getuserdetails
o GetSystem fixes and improvements
o blacklisted event_viewer_mscfile
o get_token_info is the first module to be called
7.24 December, 2019
New modules:
o jenkins_checkscript_rce
o vbulletin_widget_rce
o confluence_macro_lfi
o alpc_appxedge_lpe
o error_reporting_lpe
Updates:
o linux installer improvements (prompt-toolkit installation)
o prompt-toolkit installation
o Documentation has been updated
o BLUEKEEP payload improvements (stability)
o idrac_appweb_rce improvements and BINDSHELL payload support
o auto_lpe_windows improvements
o Commands updated to support 64bit
o hw_enum
o callbackloop
o cleareventlog
o recordaudio
o drinkcoaster
o getallprocessdata
o keylogmem
o keylog
o checkvm
o GetSystem fixes and improvements
o tpminit_wbemcomn
o unmarshal_to_system
o dde_closehandle_lpe
o setimeinfoex_lpe
o smb2_negotiate_local
o atmfd_pool_buffer_underflow
o event_viewer_mscfile
o alpc_takeover_lpe
o alpc_tasksched_lpe
o ESET_LPC
o ESET_EpFwNDIS
o ms_ntvdm
o ms16_135
o ms16_111
o ms16_032
o ms15_076
o ms14_040
o ms10_059
o ms08_034
o ms08_025
o ms07_066
o ms05_040
7.23 June, 2019
New modules:
o BLUEKEEP
o dde_closehandle_lpe
o exim_expansion_rce
o alpc_takeover_lpe
o setwindowfnid_lpe
o destroyclass_uaf_lpe
o vbox_vm_exec_cmd
o vbox_vm_keystroke_injection
o vbox_list_vms
Updates:
o MOSDEF fix (handling of 64bit integer comparisons)
o AV evasion fix (avoid visible UI when building with BuildCallbackTrojan)
o VirtualBox Library for Management
o Commands updated to support 64bit
o wlanlist
o converttopowershell
o runpowershellscript
o powershellcommand
o wmi_persistence
o kerberos_ticket_list
o info_sessions
o get_dnscache
o diskspider
o deluser
o WiFi_Key_Dumper
o GetAddressBookInfo
o GetBrowserInfo
o domainname
o LogonUser
o arpscan
7.22 April, 2019
New modules:
o spectre_sam_leak
o snapd_uid_overwrite
o setimeinfoex_lpe
o drupal_services_rce
o coldfusion_rce
o struts2_default_action_mapper
o exim_heap_overflow
o getwindowscredentials
o domainname
Updates:
o CommandLineExecuter fixes
o linux installer fixes (add missing components)
o win32 mosdef fixes (cleanup on disconnection)
o AddNullShare improvements
o AddUser 64bit support
o jenkins_xstream_rce fixes
o FileSystem Browser fixes
7.21 January, 2019
New modules:
o auto_lpe_linux
o alpc_tasksched_lpe
o wls_core_deserialization
o adobe_flash_metadata_uaf
o samdump
o lsadump
o cachedump
Updates:
o Callback AV evasion
o libwinreg - library for extracting registry information
o libwincreds - library for extracting/manipulating credentials from registry
o getpasswordhashes fixes
o linux installer fixes - added missing dependencies (xlrd, pillow)
o passthehash fixes on Windows 10
o seimpersonatepriv_lpe fixes
o UI node visualization improvements
o Now provides color indication of privileges
7.20 October, 2018
New modules:
o auto_lpe_windows
o show_timer_leak
o dmesg_leak
o jbossmq_httpil_deserialization
o jquery_file_upload
o ssh_enum
o sudo_elevate
Updates:
o spectre_file_leak
o New CANVAS dependency installer available for Linux
o Will install all of our required dependencies including Python 2.7
o Documentation available in CANVAS_ROOT/Documentation/Linux_Install_Guide.txt
7.19 August, 2018
New modules:
o ms17_010
o linux_waitid_write
o idrac_appweb_rce
o unmarshal_to_system
o get_token_info
Updates:
o New CANVAS dependency installer available for Windows
o Will install all of our required dependencies including Python 2.7 (if selected)
o Documentation available in CANVAS_ROOT/Documentation/Windows_Install_Guide.txt
o converttomosdef fixes for high privileged executables
o ETERNALBLUE Win 7 32bit support
7.18 May, 2018
New modules:
o spectre_file_leak
o iis_machinekey
o get_machinekeys
o dump_certstore
o hp_imc_rce
o java_rmi_service
o rmi_scanner
o hpe_ilo4_addNewAdmin
o seimpersonatepriv_lpe
Updates:
o Version Checker fixes
o New release notes and documentation menu entries (help)
7.17 February, 2018
New modules:
o wpad_jscript
o couchdb_roles
o oracle_forms_rce
o struts2_dmi_rce
o goahead_env_rce
o ETERNALBLUE
o wpuserpro_rce
Updates:
o Windows payloads64 fixes
o ARM ShellServer fixes
o UI fixes (modules categorized incorrectly)
o debian_ssh_key fixes (missing download now available)
o JAVA MOSDEF fixes
7.16 November, 2017
New modules:
o office_dde
o office_wsdl
o tomcat_file_upload
o brightmail_restore
o ntfs3g_modprobe
o emacs_enriched
o http_method_scanner
o webcrawler
Updates:
o Bugfixes in several modules
o autohack
o report generation
o File System Browser
o SPIKE proxy is now using tlslite-ng underneath
o DataView Tab has been removed from the UI
7.15 August, 2017
New modules:
o smbloris
o samba_is_known_pipename
o jenkins_xstream_rce
o special_lnk
o vehicleworkshop_upload
Updates:
o WiFi_Key_dumper Linux support
o Add configurable debug logging to Java MOSDEF
o Add ability to specify your own SSL version in Spike
o Add ability to convert screenshots to BMP on Linux
7.14 June, 2017
New modules:
o iis6_propfind
o solaris_rpc_cmsd
o solaris_rpc_libnsl
o linux_screen
o struts_ognl
o sdclt_uac_bypass
o drupal_services_sqli
Updates:
o Add STRATEGIC documentation (Documentation/Usage)
o Fix an issue within the CANVAS dependency checker that was causing a crash
on platforms that were missing the required libraries
o Fix a UI issue in apport_crash_handler (required to choose a local file
several times)
7.13 March, 2017
New modules:
o ms16_111
o tpminit_wbemcomn
o apport_crash_handler
o jetbrains_rce
o getintegritylevel
o check_admin_user
o inject_mosdef
Updates:
o Minor improvements to report generation
o Updated wp_finger to be compatible with recent versions
o Fix pivoting with linux64 nodes
o userenum fixes
o shareenum fixes
o Major improvements to our Kerberos library
o New AES ciphers supported
o ccache API improvements
o Updated all kerberos-related modules to use new interfaces
o autohack improvements
o Added support for CISCO
o More organized information provided
o Powershell Listener fixes
o Updated install information in our documentation (pycrypto on 64bit)
7.12 January, 2017
New modules:
o ms16_135
o linux_foll_write_cow (CVE-2016-5195)
o pbx_rce
o cisco_snmp_oid (CVE-2016-6366)
o snmp_brute
Updates:
o Proper cleanup on node close/disconnection
o Fix on 64bit linux remote resolver
o getarch was being incorrectly executed on unsupported arch(s)
o New CANVAS user documentation available at CANVAS_ROOT/Documentation/Usage
o binderx now supports OLE object custom actions
7.11 September, 2016
New modules:
o adobe_flash_id3 (CVE-2015-5560)
o event_viewer_mscfile (UAC bypass)
o badtunnel (MS16_0777)
o magento_set_payment_information (CVE-2016-4010)
o rails_webconsole_rce
o wp_themedetect
Updates:
o Bugfixes on several modules
o ms10_059
o ms11_054
o jenkins_cli_deserialization
o joomla_session_unserialize
o joomla_print
o getwwwhostname
o ip_to_vhost
o mosdefmigrate win10 support
o Improvements on overlayfs
o Prebuilt libraries for main targets available
o Add support for latest OSes to WiFi Key Dumper
7.10 June, 2016
New modules:
o joomla_session_unserialize
o ms16_006_silverlight
o ms16_032
o rails_actionpack_render
o airos_remote_write
o sap_bi_p4
o get_putty_info
o wp_plugindetect
o ps_invokemimikatz
o binderx
o getarch
o get_installed_software
Updates:
o Bugfixes on ClientD spammer
o Emails could only be sent out once
o converttomosdef fix on Jave nodes
o Bugfixes on getloggedinhashes
o Bugfixes on licensecheck
o Bugfixes on disable_windows_defender
o Clientd spammer is now able to add attachments
o GetUserActive 64bit support
7.09 April, 2016
New modules:
o jenkins_jrmp_deserialization (CVE-2016-0788)
o alienvault_alarm_deserialization
o vrealize_vcofactory_deserialize (CVE-2015-6934)
o CVE_2016_1757
Updates:
o Add ability to disable certificate validation for web exploits
o Bugfixes on ClientD
7.08 February, 2016
New modules:
o trendmicro_maxsec_10
o overlayfs_setattr
o jboss6_jmxinvokerservlet_deserialize
o jenkins_cli_deserialization
o weblogic_t3_deserialization
o wmi_persistence
o ad_getuserdetails
Updates:
o New modules right-click context menu from within our Search Pane (Add/Remove to/from Favorites)
o Proxy support for PowerShell Nodes
o Bugfixes on BuildWARCallbackTrojan
o Bugfixes on PowerShell modules
o Right-click on AD Users through our AD Browser to get more detailed information
o Bugfixes on ClientD
o Add ability to dump predefined keys in reg_dump (Include interesting keys option)
7.07 November, 2015
New modules:
o vbulletin_preauth_decodeArguments
o firefox_pdfjs_filereader
o reg_fingerprint
o reg_loggedon
o reg_create_key
o reg_delete_key
o reg_add_value
o reg_delete_value
Updates:
o Fix for PowerShell Node/Listener
o New right-click context menu on modules (Add/Remove to/from Favorites)
o Disable DNS resolution on session import
o Bugfixes and improvements over the winreg API
o Improvements on reg_dump
o Bugfixes on the LSARPC library
7.06 October, 2015
New modules:
o ms15_102
o ms14_025
o osx_rsh_libmalloc
o reg_dump
o dcsync
Updates:
o MacOS X El Capitan support
o Reimplement sessions functionality through our new logging mechanism
o Fix for module-specific logging information not reported in log window
o Fix sniffer-related modules
o Fix for PowerShell callback not terminating when connection is lost
o Bugfixes in libdcerpc/getremotelanguage
o New drsuapi RPC library
o New winreg RPC library
o Improvements and bugfixes to userenum
o Improvements to cleanup phase
o Exploits can now report detailed information regarding each selected node
7.05 September, 2015
New modules:
o ESET_LPC
o ms15_100
o overlayfs
o hanword_exec
o ad_getcomputers
o ad_getlocalusers
o ad_getdomainusers
o ad_dlexecute_psmosdef
o ad_check4PSAdmin
o converttopowershell
o runpowershellscript
o citrix_netscaler_soap
Updates:
o New Active Directory Browser
o Fix an issue related to big files upload on a PowerShell Node
o libsmb bugfixes
o switch_user bugfix
o New logging mechanism for reporting information to users
7.04 August, 2015 (August release)
New modules:
o osx_rootpipe2
o ESET_EpFwNDIS
o New PowerShell capabilities (Listener, Node)
o BuildPowershellCallback
o powershellcommand
Updates:
o New PowerShell Node Capabilities
o New internal wkssvc library
o Complete rewrite of userenum
o Bugfixes
o Support for Win 2012
o Providing more and better output
o Kerberos support
o 64bit support for atmfd_local_buffer_underflow
o dcedump improvements
o Ability to query port 445 using domain credentials
o ifids improvements
o Kerberos support
o Now accepts credentials
o Bugfixes
o LSARPC library bugfixes
o libdcerpc bugfixes
7.03 July, 2015 (July release)
New modules:
o adobe_flash_valueof
o atmfd_pool_buffer_underflow
o osx_dyld_print_to_file
o avdsimport
Updates:
o Fix an issue with kerberos_ticket_list on targets not part of a domain
o Improve userenum by adding kerberos support and ability to provide credentials
o Exploits tree filesystem reorganization
7.02 June, 2015 (June release)
New modules:
o ms15_051
o CVE_2015_3306
o adobe_flash_intoverflow_apply
Updates:
o Improve scan import speed by temporarily disabling DNS lookups (nexposeimport)
o nessusxml
o Remove support for Nessus 3
o Improve scan import speed by temporarily disabling DNS lookups
o Include pycrypto as part of our dependency checker
o Add Win8.1 target support in adobe_flash_domainMemory_uaf
7.01 May, 2015 (May release)
New modules:
o adobe_flash_domainMemory_uaf
o ms14_070
o rootpipe
o lnk_exec
o elasticsearch_CVE_2015_1427
o CVE_2014_9222
o nexposeimport
Updates:
o ms14_064_ie_oleaut32 now supporting Windows 8/8.1 targets
o dependency checker fix for MacOS (pyasn1 issue)
o BuildCallbackTrojan fix for correctly generating Solaris (SPARC) callbacks
o getpasswordhashes works only locally, removed the host field
o psexec refactoring and improvements
7.00 March, 2015 (March release)
New modules:
o ms14_064_ie_oleaut32
o shareenum_ng
Updates:
o x64linuxremoteresolver fixes
o x86 opcode generation fix (subq)
o mosdefmigrate fix
o report node id on listener shell
o kerberos_ticket_list, kerberos_ticket_export
o 64bit support for Linux
o massive tickets extraction
o enabling TGT extraction using registry
o psexec bugfix
o info_sessions module update (now displaying sessionID)
o smbclient now supports kerberos
o shareenum now supports kerberos and fixed a bug on Windows 2008
6.99 February, 2015 (February release)
New modules:
o osx_stickykeysfree (IOHIKeyboardMapper::stickyKeysfree local privilege escalation)
o psexec
o kerberos_ticket_list
o kerberos_ticket_export
Updates:
o mosdefmigrate fix for 64bit
o pyembryo fix for MacOS X
o fix the status view in CANVAS GUI (now showing always the last module run)
o autoprivesc has been removed (was deprecated)
6.98 January, 2015 (January release)
New modules:
o osx_parsekeymapping (IOHIKeyboardMapper::parseKeyMapping local privilege escalation)
o ms14_068 (kerberos privilege escalation)
o wpeasycart_rce (WP-EasyCart Post-Auth file upload)
Updates:
o BuildCallbackTrojan MacOS X fix
o New Kerberos library
o smb library fixes
o Improved smb library including kerberos support
o facedetection has been removed (was deprecated)
6.97 December, 2014 (December release)
New modules:
o CVE_2014_5261
o wpsymposium_rce
o sandworm
Updates:
o ms10_059 fix
o Linux x86_64 MOSDEF fix
o PHP MOSDEF multiple fixes
o converttomosdef x86_64 fix
6.96 November, 2014 (November release)
New modules:
o linux_futex_requeue
o adobe_flash_copypixelstobytearray
o ms14_040
o joomla_mm_rce
o vbox_guest
o CVE_2014_5460
o wpdm_fileupload
o wptouch_nonce
o drupal_name_sqli
o drupal_name_sqli_callback
Updates:
o linux_pppol2tp (x64_64 support and new targets)
o MOSDEF Win8.1 x86_64 fixes
6.95 August, 2014 (August release)
New modules:
o linux_pppol2tp
o linux_tty_race
o mqac
o ie_cmarkup_2014_1776
o firefox_nsSVGValue
o owa_ipleak
Updates:
o Linux x86_64 Remote Resolver (NEW)
o MOSDEF Linux x86_64 fixes
6.94 June, 2014 (June release)
New modules:
o recvmmsg
o linux_ptrace_setregs
Updates:
o MOSDEF Linux x86_64 support
o BuildCallbackTrojan (ELF64 support)
o MOSDEF PHP (stability and IDS evasion)
o perf_swevent_init (x86_64)
o wp_finger (more versions)
6.93 April, 2014 (April release)
New modules:
o ie_cmarkup (Use-after-free bug for IE 10)
o ie_cardspaceclaimcollection (Clientside exploit for IE 8/9)
o STRATEGIC is now part of CANVAS, no longer extra add-on
Updates:
o wp_finger (more versions)
o acrobat_toolbutton (more versions)
6.92 January, 2014 (January release)
New modules:
o acrobat_toolbutton (Adobe Acrobat Reader ToolButton Use After Free)
o ndproxy (Windows NDProxy.sys Local Privilege Escalation)
o zabbix (Zabbix <= 2.0.8 PHP File inclusion exploit)
o wp_finger (Fingerprint WordPress based on .css and .js files)
6.91 December 03, 2013 (December release)
New modules:
o ie_cdisplaypointer (IE CDisplayPointer Use-After-Free ClientSide)
o CVE_2013_3881 (Win32k NULL Page Privilege Escalation)
o wordpress_backdoor
o wordpress_backdoor_connect
Updates:
o sudo_timestamp
6.90 October 24, 2013 (October release)
New modules:
o White Phosphorus exploit pack is now part of CANVAS
o sudo_timestamp (Linux/MacOS timestamp privilege escalation)
Updates:
o ms13_056 (Win7 Pro SP1 support)
o STRATEGIC ZeroMQ updates
o converttomosdef on OSX
6.89 August 26, 2013 (August release)
New modules:
o ms13_056 (Clientside exploit for IE8 DirectShow GIF rendering)
o java_generic_mosdef (Generic Java MOSDEF applet)
o maptrace (FreeBSD MMAP/PTRACE privilege escalation)
o perf_swevent_init (Linux escalation through CVE-2013-2094)
Updates:
o acrobat_xfa (Adobe Reader 11 support)
6.88 July 10, 2013 (July release)
New modules:
o acrobat_xfa (Acrobat reader <= 10.x clientside exploit)
o fs_pipe_race_to_null (Linux <= 2.6.31 local privilege escalation)
o moinmoin_rce (MoinMoin TWikidraw/AnyWikiDraw Remote Command Execution)
Updates:
o ip_to_vhosts reworked
o ClientD spammer fixes
o nginx_chunk reliability fixes
6.87 May 30, 2013 (May release)
New modules:
o java_DynamicBinding (Java Dynamic Type Binding Remote Code Execution)
o novell_nicm (Novell nicm.sys Local Privilege Escalation Attack)
o nginx_chunk (Nginx Chunked Encoding Stack Buffer Overflow)
o mdaemon_control (Remotely control a vulnerable MDaemon server)
o inject_from_mem (in-memory dynamic library injection)
Updates:
o Core updates for CENTOS6/RHEL6
o All DLL payloads (as used by BuildMOSDEFDLL) have been improved. Combined
with inject_from_mem, they no longer hijack the thread that was used to
inject them.
6.86 March 20, 2013 (March release)
New modules:
o adobe_flash_regexp (Adobe Flash Player Regex Heap Overflow)
o CVE_2012_5613 (MySQL Privilege Elevation Exploit)
o threadio (Sets current thread IO and memory priority to max)
Updates:
o MOSDEF/Win64: New MOSDEF-wrapped functions, 'long long *' bugfix in cparse2
o callbackloop (fixed stack corruptions)
o clientd (can now run multiple instances on different ports)
o java_MBeanInstantiator_findClass: updated to bypass the java security
warning by being served as serialized applet
(http://immunityproducts.blogspot.com.ar/2013/02/keep-calm-and-run-this-applet.html)
6.85 February 5, 2013 (February release)
New modules:
o windows_sniffer (Win32 && Win64 in-memory sniffer)
o java_MBeanInstantiator_findClass (Java MBeanInstantiator.findClass Remote Code Execution)
Updates:
o Improved AV evasion for trojans created with BuildCallbackTrojan and
BuildMOSDEFDLL
o ms12_043: Can now use HTTP/HTTPS MOSDEF
o mysql_version_detection: configurable timeout
o libs/mysqllib: configurable timeouts
o parallel_portscan: more flexible port specification, better thread handling
o httpuploader
o clientd (better UI for tunneling options)
6.84 November 30, 2012 (December release)
New modules:
o java_CVE_2012_5088 (Java MethodHandles.Lookup Remote Code Execution)
o java_jaxws (Java Applet JAX-WS Remote Code Execution)
o keylog2mem (In-Memory Win32 Keylogger with Live Streaming)
Updates:
o Fixed Java MOSDEF issue for XP
6.83 November 9, 2012
New modules:
o ms12_042 (MS12-042 Privilege Escalation Exploit)
o ie_execCommand (IE execCommand() Use-After-Free exploit)
o ms12_037 (MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow)
o adobe_flash_otf_parsing (Adobe Flash Player 11.3.300.2x integer overflow font parsing code execution)
o emc_networkerFS (EMC Networker format string exploitation)
o CVE_2010_3964 (Microsoft SharePoint Server 2007 Arbitrary File Upload RCE)
o dellchassis (DELL Web Interface Scanner)
o delldrac (DELL Web Interface Scanner)
o passwordhints (List user password hints)
o info_sessions (List information about all active sessions)
o wlanlist (List wireless network information)
o parallel_portscan (Threaded TCP portscanner)
Updates:
o Major CANVAS core updates to support new Strategic framework
o New JAVA MOSDEF implementation supports HTTP(S) MOSDEF callbacks
o java_deserialize2, java_forName_getField, java_AtomicReferenceArray
updated to use it
o New module types: localcommand and utility
o Bugfixes to JavaNode
6.82 September 4, 2012
New modules:
o ms12_043 (MS12-043 Microsoft Internet Explorer XML Core Services Uninitialized Memory Corruption)
o java_forName_getField (Java 7u6 forName/getField Method Invocation Sandbox Bypass)
o evocam (Evocam 3.6.6 to 3.6.7 Stack based buffer overflow)
o Itunes_10_6_1 (Itunes 10.4 to 10.6.1 Buffer Overflow)
o cutezip_filename (CuteZIP 2.1 Stack Buffer Overflow)
o ezserver (Ezhometech EzServer Stack Overflow Vulnerability)
o OSVDB_65361 (Novell ZENworks Configuration Management 0x21 Buffer Overflow)
o OSVDB_65361_0x6 (Novell ZENworks Configuration Management 0x6 Buffer Overflow)
o CVE_2011_3175 (Novell ZENworks Configuration Management 0x6c Buffer Overflow)
o CVE_2011_3176 (Novell ZENworks Configuration Management 0x4c Buffer Overflow)
o canvas_report (new reporting module)
Updates:
o New reporting framework, works standalone without OO installation
o SSL support for padding oracle
o Bugfixes to smbclient
o Clientd updated, new clientside reporting
6.81 July 9, 2012
New modules:
o SYSRET (exploit for invalid #GP @ CPL0 handling: FreeBSD AMD64 version)
o ms12_027 (MSCOMCTL.OCX ActiveX Buffer Overflow)
o ms12_004 (Clientside exploit for IE8 MIDI engine)
o mysql_login_remote (MySQL authentication bypass)
o strutsCodeInjection (Apache Struts2 code injector)
o adobe_flash_mp4_cprt (Adobe Flash Player 11.1.102.55 and earlier clientside)
o mysql_version_detection (Generic MySQL version recon module)
o configuration (Generic CANVAS configuration module)
Updates:
o Upgraded functionality for BSD ShellServer + new MOSDEF callback executable
o SSL MOSDEF for Linux/OSX/ARM9 ShellServers
o Updates to SMB ShellServer
o Many recon reliability updates to clientd modules
6.80 May 31, 2012
New modules:
o php_cgi_remote (CVE-2012-1823 PHP < 5.4 remote exploit)
o BuildWARCallbackTrojan (Generic WAR deployment module)
o ip_to_vhosts
Updates:
o New ClientD UI
o Updates to OSX remote resolvers
6.79 April 30, 2012
New modules:
o CVE_2012_1182 (SAMBA 3.4.x/3.5.x/3.6.x remote root)
o CVE_2012_1182_NONX (SAMBA 3.4.x/3.5.x/3.6.x remote root FreeBSD/Linux NONX)
o smbversion
Updates:
o Bugfixes to listener dialog upload/download for Unix
o Bugfixes to ClientD (plugin version detection)
6.78 March 30, 2012
New modules:
o java_AtomicReferenceArray (Type Confusion Sandbox Bypass)
Updates:
o ARM Documentation
o Improvements to BuildMOSDEFDLL (HTTP/HTTPS callback support)
o ClientD updated to work better with NAT interfaces
o Updates to keylog
o Reliability updates to mosdefmigrate/processinject/injectdll
6.77 February 29, 2012
New modules:
o CVE_2012_0056 (Linux local root)
Updates:
o Integrated ARM assembler/MOSDEF-C compiler frontend
o Full MOSDEF support for Android
o android_parentstylesheet now returns a MOSDEF Linux node
o CVE_2010_1807 now returns a MOSDEF Linux node
o Improvements to BuildCallbackTrojan (can generate ARM ELF callbacks)
o Improvements to getpasswordhashes, getloggedinhashes, mosdefmigrate
(reliability fixes)
6.76 January 31, 2012
New modules:
o ms12_005 (MS Office 2007-2010 Shell Object Packager file extension bypass)
o dotnetnuke_formbypass (ASP.Net Forms Authentication Bypass Vulnerability for DotNetNuke)
o firefox_array_reduceright (Client-Side vulnerability in Mozilla Firefox < 3.6.18)
Updates:
o Improvements to BuildMOSDEFDLL
o Improvements to getpasswordhashes, getloggedinhashes, mosdefmigrate
(They now work on Windows 2008, Vista and 7, 32 and 64bit)
o Improvements to 64bit Windows MOSDEF
o Improvements to dnsfind
6.75 December 29, 2011
New modules:
o pdf_u3d (Adobe Acrobat Reader U3D exploit)
o plone (Plone/Zope Remote Command Execution)
o ms11_080 (AfdJoinLeaf Pointer Overwrite Local Privilege Escalation)
o ms11_098 (Windows Kernel Exception Handler Privilege Escalation)
Updates:
o Improvements to command line
o Improvements to mysqllib
o Improvements to Android MOSDEF & listener
6.74 November 30, 2011
New modules:
o frontpage_rpc_fileupload (FrontPage Server Extension RPC File Upload)
o java_rhino (Sandbox bypass through Rhino engine: JDK/JRE <= 6 Update 27)
Updates:
o Improvements to PyELF framework
o Improvements to padding_oracle, thunderbird backdoor,
jboss_jmxconsole_deployer
o Improvements to Android MOSDEF & listener
6.73 October 26, 2011
New modules:
o jboss7_management_deployer (JBoss7 MOSDEF callback deployer)
o win32_sniffer (In-memory Windows MOSDEF sniffer)
o revproxybypass (Apache mod_rewrite misconfiguration detector)
Updates:
o New library + userland exec framework: PyELF
o Improvements and fixes to hcn_beaconlistener
o Improvements and fixes to Massattack/Vulnassess reports
o Improvements and fixes to timeline reporting
o Fixes to Linux/SMB node listeners (file download)
6.72 September 30, 2011
New modules:
o jboss_jmxconsole_deployer (JBoss Web JMX Console exploit)
o firefox_channelredirect (Firefox < (3.6.17|3.5.19) client-side)
o safari_renderdestroy (Safari <= 5.1 7534.50 client-side)
o BuildMOSDEFDLL (Builds dll that calls back to WIN32 MOSDEF listener)
Updates:
o Improvements to padding_oracle (reliability, speed)
o GetBrowserInfo grabs Firefox credentials from windows nodes
6.71 August 8, 2011
New modules:
o BuildDNSCallback (Builds a DNS callback trojan)
o flash_APSB11_18 (Adobe Flash Player exploit)
o ms11_054 (xxxMNHideNextHierarchy null pointer vulnerability)
Updates:
o Android 2.2.1 support for android_hotplug
o Improvements to padding_oracle, including support for the DNS payload
o Improvements to thunderbird_backdoor
6.70 June 30, 2011
New modules:
o CVE_2011_0997 (DHClient command injection)
o qualysguard (replaces qgimport/qgverify)
o tinymce_joomla (tinybrowser component exploit)
o wireshark_dect (Wireshark DECT dissector remote overflow)
o thunderbird_backdoor_deployer (installs thunderbird backdoor on compromised nodes)
o thunderbird_backdoor_manager (remotely manages a thunderbird backdoor)
Updates:
o DNS MOSDEF
o ms11_003 updated to work with DNS payload
o Improvements to padding_oracle and aspnet_download
o Improvements to CF_directory_traversal