CVE-2004-0159

hsftp 1.11 - Authenticated Format String Vulnerability via Filename in ls Command

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0159. PoCs published by [email protected].

AI-analyzed exploit summary This exploit targets a format string vulnerability in hsftp <=1.11, allowing remote code execution via a crafted format string payload. It overwrites the GOT entry of fputc to redirect execution to a UDP-based shellcode that listens on port 13330.

Description

Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command.

Exploits (1)

exploitdb WORKING POC VERIFIED

by [email protected] · cremotelinux

https://www.exploit-db.com/exploits/23740

View Code ZIP pw:eip

This exploit targets a format string vulnerability in hsftp <=1.11, allowing remote code execution via a crafted format string payload. It overwrites the GOT entry of fputc to redirect execution to a UDP-based shellcode that listens on port 13330.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: hsftp <=1.11

No auth needed

Prerequisites: Network access to the vulnerable hsftp service · Target must be running hsftp <=1.11 on a compatible system (e.g., SUSE 7.0)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/4029

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/15276

Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/9715

Mailing List mailing-list x_refsource_fulldisc

http://lists.grok.org.uk/pipermail/full-disclosure/2004-February/017737.html

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2004/dsa-447

Scores

EPSS 0.0902

EPSS Percentile 94.6%

Details

Status published

Products (7)

samhain_labs/hsftp 1.4

samhain_labs/hsftp 1.5

samhain_labs/hsftp 1.6

samhain_labs/hsftp 1.7

samhain_labs/hsftp 1.9

samhain_labs/hsftp 1.10

samhain_labs/hsftp 1.11

Published Mar 15, 2004

Tracked Since Feb 18, 2026