w00t$portbut this should not be relied upon for detection purposes, also the shellcode should not be used for detection either.
Fortunately, Snort has detection dating back over 5 years for this issue.
The following Snort rules will catch this attack:
2374 - FTP NLST overflow attempt
3441 - FTP PORT bounce attempt
1973 - FTP MKD overflow attempt
1529 - FTP SITE overflow attempt
Also, the FTP/Telnet preprocessor will also generate events for this attack:
125:3:1 - FTP Parameter Length Overflow
125:6:1 - FTP Response Length Overflow
125:8:1 - FTP Bounce