SHELLCODE: Metasploit x86/fnstenv_mov Encoder Routine Over HTTP-CTS
This signature detects Metasploit shell code being sent as part of an exploit payload, specifically the Windows Execution shell, using the variable-length fnstenv/mov dword XOR encoder (x86/fnstenv_mov). This is a strong indication of malicious activity on your network.
Extended Description
Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request.
Affected Products
Microsoft windows_xp
References
BugTraq: 22791 9007 27387 33147
CVE: CVE-2007-3454
URL: http://www.metasploit.com/modules/encoder/x86/fnstenv_mov http://www-1.ibm.com/support/docview.wss?uid=swg24018010 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=647 http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html http://www.zerodayinitiative.com/advisories/zdi-07-008 http://www.trendmicro.com/ftp/documentation/readme/osce_80_win_en_securitypatch_b1042_readme.txt
Short Name
SHELLCODE:X86:FNSTENV-80C
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2003-0822 CVE-2007-0774 CVE-2007-3454 CVE-2008-0067 CVE-2008-0401 Encoder HTTP-CTS Metasploit Over Routine bid:22791 bid:27387 bid:33147 bid:9007 x86/fnstenv_mov
Release Date
03/25/2011
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft