SmbFTPD is "a FTP daemon modified from the FTP daemon of FreeBSD 5.4. Besides keep original FreeBSD ftpd features, it enhances the user permission control, integrate configuration files, and more useful features". A format string vulnerability exist in the SMBDirList-function, dirlist.c, which gets called when a LIST/NLST is issued. It could be triggered by the way it outputs recursive listing on directories. It's caused due to misuse of fprintf.

http://www.securiteam.com/unixfocus/6D0010KK0O.html