SHELLCODE: Metasploit x86/fnstenv_mov Encoder Routine Over TCP-CTS
This signature detects Metasploit shell code being sent as part of an exploit payload, specifically the Windows Execution shell, using the variable-length fnstenv/mov dword XOR encoder (x86/fnstenv_mov). This is a strong indication of malicious activity on your network.
Extended Description
Computer Associates BrightStor ARCserve Backup is affected by a remote buffer-overflow vulnerability because the application fails to perform proper bounds-checking on data supplied to the application. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer with SYSTEM privileges. Failed exploit attempts may cause denial-of-service conditions. Successful exploits can lead to a complete compromise of affected computers. This issue affects multiple BrightStor ARCserve Backup application agents and the base product.
Affected Products
Computer_associates brightstor_arcserve_backup
Short Name
SHELLCODE:X86:FNSTENV-CTS
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2004-2501 CVE-2005-0560 CVE-2005-2618 CVE-2007-0169 CVE-2009-0550 Encoder Metasploit Over Routine TCP-CTS bid:11755 bid:13118 bid:16576 bid:22005 bid:34439 x86/fnstenv_mov
Release Date
11/09/2010
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3715
Port
TCP/0-79,81-442,444-3127,3129-7999,8001-8079,8081-65535
False Positive
Unknown
Vendors
Computer_associates