SHELLCODE: Metasploit x86/fnstenv_mov Encoder Routine Over TCP-STC
This signature detects Metasploit shell code being sent as part of an exploit payload, specifically the Windows Execution shell, using the variable-length fnstenv/mov dword XOR encoder (x86/fnstenv_mov). This is a strong indication of malicious activity on your network.
Extended Description
Multiple stack-based buffer overflows in the SOCKS proxy support (sockd) in Sun Java Web Proxy Server before 4.0.5 allow remote attackers to execute arbitrary code via crafted packets during protocol negotiation.
Affected Products
Sun java_system_web_proxy_server
Short Name
SHELLCODE:X86:FNSTENV-STC
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2007-2881 Encoder Metasploit Over Routine TCP-STC bid:24165 x86/fnstenv_mov
Release Date
09/25/2013
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3707
Port
TCP/0-79,81-442,444-3127,3129-7999,8001-8079,8081-65535
False Positive
Unknown
Vendors
Sun