SHELLCODE: Metasploit x86/fnstenv_mov Encoder Routine Over HTTP-STC

This signature detects Metasploit shell code being sent as part of an exploit payload, specifically the Windows Execution shell, using the variable-length fnstenv/mov dword XOR encoder (x86/fnstenv_mov). This is a strong indication of malicious activity on your network.

Extended Description

Microsoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel ('.xls') file. Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application.

Affected Products

Microsoft excel_2007

References

BugTraq: 23620 51284 31706 34470 18500 27658 48161 32618 16410 35246 13117 37511 20226 16953 45278 35175

CVE: CVE-2009-1134

URL: http://www.metasploit.com/modules/encoder/x86/fnstenv_mov http://www.coresecurity.com/content/foxit-reader-vulnerabilities http://www.corelan.be/advisories.php?id=CORELAN-11-001 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=783 http://support.apple.com/kb/ht4808 http://technet.microsoft.com/en-us/security/bulletin/ms12-005 http://www.iss.net/threats/287.html http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=763 http://aluigi.altervista.org/adv/esignal_1-adv.txt http://www.zerodayinitiative.com/advisories/zdi-09-040/

Short Name

SHELLCODE:X86:FNSTENV-80S

Severity

Critical

Recommended

False

Recommended Action

Drop

SHELLCODE: Metasploit x86/fnstenv_mov Encoder Routine Over HTTP-STC

Extended Description

Affected Products

References

Found a potential security threat?