There's tons of client software that can be exploited if you send a dangerous payload to it. Think of an exploitable version of Curl that will fail if it receives a bad http header.
I would guess that it fingerprints the scanning software (e.g. metasploit), then feeds a payload back to it that has a known exploit in the scanning script.
I'd actually be curious to know if this seemingly ~10 year old software still works. Also how much bandwidth it uses, CPU/RAM etc.