SmbFTPD (http://www.twbsd.org/enu/smbftpd/index.php) is "a FTP daemon modified from the FTP daemon of FreeBSD 5.4. Besides keep original FreeBSD ftpd features, it enhances the user permission control, integrate configuration files, and more useful features". A format string vulnerability exist in the SMBDirList-function, dirlist.c, which gets called when a LIST/NLST is issued. It could be triggered by the way it outputs recursive listing on directories. It's caused due to misuse of fprintf.

http://www.securiteam.com/unixfocus/6D0010KK0O.html