cbcvebase.
CVE-2004-2074
published 2004-12-31

CVE-2004-2074: Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR…

PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
35.78%
98.3th percentile
Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
bolintechdream_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

port28876
command\xeb\x29%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%8x%%%dd%%n%%n@@@@@@@@<shellcode>
otherDream FTP Server (banner string)
bytes
\xeb\x29 (jump over format string exploit prefix)
  • Detect exploit traffic by matching the format string pattern sent over FTP (port 21): a sequence of multiple %8x format specifiers followed by a large decimal width %Nd%n pattern, preceded by the \xeb\x29 JMP stub.
  • Alert on FTP sessions to port 21 where the USER command payload contains the byte sequence EB 29 followed by repeated %8x format specifiers — this is the exploit's fixed prologue.
  • Monitor for unexpected outbound connections to port 28876 from FTP server hosts — successful exploitation binds a shell on that port.
  • Check FTP banner for 'Dream FTP Server' to identify vulnerable targets; the Metasploit module uses this string as its check condition.
  • The exploit targets the PASS or RETR FTP commands with format string specifiers; monitor FTP command arguments for %n, %x, or large %d width specifiers in those commands.
  • ·The Metasploit module hardcodes a single universal offset (0x3c63FF - 0x4f = 3957680) targeting the SEH handler; this offset was tested only against Windows 2000 SP0 and SP4 English and may not be reliable on other OS/SP combinations.
  • ·Payload bad characters exclude null byte, LF, and CR (\x00\x0a\x0d), which constrains shellcode selection and may affect detection signatures that rely on those bytes as delimiters.
  • ·The original PoC exploit targets Dream FTP v1.2 (also identified as 1.02 / TryFTP 1.0.0.1), indicating the vulnerability spans multiple version strings of the same product.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.