CVE-2004-2523

OpenFTPD < 0.30.2 - Authenticated Remote Code Execution via Format String in Message Argument

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-2523. PoCs published by infamous41md, Andi.

AI-analyzed exploit summary This exploit targets a format string vulnerability in OpenFTPD, leveraging the 'site msg' command to execute arbitrary shellcode. It hijacks the fclose() jumpslot and manipulates stack addresses to achieve remote code execution.

Description

Format string vulnerability in the msg command (cat_message function in msg.c) in OpenFTPD 0.30.2 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in the message argument.

Exploits (2)

exploitdb WORKING POC VERIFIED
by infamous41md · cremotelinux
https://www.exploit-db.com/exploits/373

This exploit targets a format string vulnerability in OpenFTPD, leveraging the 'site msg' command to execute arbitrary shellcode. It hijacks the fclose() jumpslot and manipulates stack addresses to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenFTPD (most current version as of 2004)
Auth required
Prerequisites: Network access to the target FTP server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andi · cremotelinux
https://www.exploit-db.com/exploits/372

This exploit targets a format string vulnerability in OpenFTPD <= 0.30.2, allowing remote code execution via crafted SITE MSG commands. It uses a format string attack to overwrite the GOT entry of fgets with the address of system, then executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenFTPD <= 0.30.2
Auth required
Prerequisites: Network access to OpenFTPD server · Valid FTP credentials · Target system matching one of the predefined libc versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2004-08/0017.html
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/12174
Exploit, Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1010823
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16843
Various Sources x_refsource_confirm
http://www.openftpd.org:9673/openftpd
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/8261
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10830

Scores

EPSS 0.0540
EPSS Percentile 91.6%

Details

Status published
Products (4)
openftpd/openftpd_ftp_server 0.29.4
openftpd/openftpd_ftp_server 0.30
openftpd/openftpd_ftp_server 0.30.1
openftpd/openftpd_ftp_server < 0.30.2
Published Dec 31, 2004
Tracked Since Feb 18, 2026