CVE-2011-3494

eSignal < 10.6.2425 - Stack-Based and Heap-Based Buffer Overflow via Long StyleTemplate or FaceName Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2011-3494. PoCs published by Metasploit, Luigi Auriemma, including Metasploit module exploits/windows/fileformat/esignal_styletemplate_bof.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in eSignal and eSignal Pro <= 10.6.2425.1208 by crafting a malicious .QUO file with an oversized StyleTemplate tag. It uses an egghunter to locate and execute the payload, achieving remote code execution.

Description

WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long StyleTemplate element in a QUO, SUM or POR file, which triggers a stack-based buffer overflow, or (2) a long Font->FaceName field (aka FaceName element), which triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/17880

This exploit targets a buffer overflow vulnerability in eSignal and eSignal Pro <= 10.6.2425.1208 by crafting a malicious .QUO file with an oversized StyleTemplate tag. It uses an egghunter to locate and execute the payload, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: eSignal and eSignal Pro <= 10.6.2425.1208
No auth needed
Prerequisites: Victim must open the malicious .QUO file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Luigi Auriemma · textdoswindows
https://www.exploit-db.com/exploits/17837

The writeup describes two vulnerabilities in eSignal and eSignal Pro (versions <= 10.6.2425.1208): a code execution flaw via malformed '<StyleTemplate>' files (QUO, SUM, POR extensions) and a heap overflow in the Font->FaceName field of ETS, ETQ, and ESK files. No exploit code is provided, only a link to a PoC archive.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: eSignal and eSignal Pro <= 10.6.2425.1208
No auth needed
Prerequisites: Victim must open a maliciously crafted file with specific extensions (QUO, SUM, POR, ETS, ETQ, ESK)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Luigi Auriemma · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb

This Metasploit module exploits a buffer overflow vulnerability in eSignal and eSignal Pro via malformed QUO files. It uses an egghunter to locate and execute a payload, targeting versions 10.6.2425.1208 and earlier.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: eSignal and eSignal Pro <= 10.6.2425.1208
No auth needed
Prerequisites: Victim must open a maliciously crafted QUO file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/45966

Scores

EPSS 0.5578
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (2)
interactivedata/esignal 10.6
interactivedata/esignal < 10.6.2425
Published Sep 16, 2011
Tracked Since Feb 18, 2026