https://feed.craftedsignal.io/tags/seh-overwrite/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:25 +0000https://feed.craftedsignal.io/briefs/2026-04-fdm-buffer-overflow/Wed, 29 Apr 2026 20:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-fdm-buffer-overflow/Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation, leading to arbitrary code execution.Free Download Manager (FDM) version 2.0 Built 417 is susceptible to a local buffer overflow vulnerability (CVE-2018-25304) within its URL import functionality. This vulnerability, discovered and reported by VulnCheck, allows an attacker to craft a malicious URL file. When a user imports this specially crafted file through the “File > Import > Import lists of downloads” menu, the application attempts to process the ‘Location’ header response, triggering a buffer overflow. This overflow overwrites the Structured Exception Handler (SEH) chain, enabling the attacker to execute arbitrary code within the context of the FDM process. This vulnerability can be exploited locally by tricking a user into importing a malicious file.

Attack Chain

1. Attacker crafts a malicious .url file containing an overly long Location header value designed to cause a buffer overflow.
2. The victim is convinced to download the malicious .url file (e.g., through social engineering).
3. The victim opens Free Download Manager 2.0 Built 417.
4. The victim navigates to “File > Import > Import lists of downloads” within FDM.
5. The victim selects the downloaded malicious .url file and initiates the import process.
6. FDM parses the malicious .url file and attempts to process the long Location header.
7. The excessively long Location header causes a buffer overflow, overwriting the SEH chain.
8. When an exception is triggered (due to the overflow), the overwritten SEH chain is used to redirect execution to attacker-controlled code, resulting in arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability allows an attacker to execute arbitrary code on the victim’s system with the privileges of the Free Download Manager process. This could lead to complete system compromise, data theft, or installation of malware. While specific victim counts are unavailable, the vulnerability poses a significant risk to users of Free Download Manager 2.0 Built 417.

Recommendation

• Monitor for process creation events originating from Free Download Manager after importing a .url file to detect potential exploitation attempts (see Sigma rule “Detect Free Download Manager Suspicious Process Creation After Import”).
• Implement file integrity monitoring (FIM) on the Free Download Manager executable directory to detect unauthorized modifications potentially related to exploitation.
• Consider using application control solutions to restrict the execution of unsigned or untrusted code within the Free Download Manager process.

]]>criticaladvisorybuffer-overflowseh-overwritecode-executioncve-2018-25304https://feed.craftedsignal.io/briefs/2026-04-allok-video-buffer-overflow/Wed, 29 Apr 2026 20:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-allok-video-buffer-overflow/Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability (CVE-2018-25303) in the License Name field, allowing a local attacker to execute arbitrary code by triggering a structured exception handler (SEH) overwrite.A stack-based buffer overflow vulnerability exists in Allok Video to DVD Burner version 2.6.1217. This vulnerability, identified as CVE-2018-25303, resides within the “License Name” field of the application. A local attacker can exploit this flaw by crafting a malicious input designed to overwrite the Structured Exception Handler (SEH). Successful exploitation enables the attacker to execute arbitrary code within the context of the application. The vulnerability was reported on 2026-04-29. This is important for defenders because successful exploitation can lead to complete system compromise on vulnerable machines.

Attack Chain

1. The attacker gains local access to a system with Allok Video to DVD Burner 2.6.1217 installed.
2. The attacker crafts a malicious input string consisting of 780 bytes of arbitrary data.
3. The attacker appends SEH chain pointers and shellcode to the crafted input string.
4. The attacker opens the Allok Video to DVD Burner application and navigates to the registration window.
5. The attacker pastes the malicious input string into the “License Name” field.
6. The application attempts to process the oversized input, triggering the buffer overflow.
7. The SEH is overwritten with the attacker’s controlled pointers.
8. The shellcode is executed, giving the attacker arbitrary code execution on the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code within the context of the Allok Video to DVD Burner application. This could lead to complete system compromise, including data theft, installation of malware, or other malicious activities. The vulnerability affects version 2.6.1217 of the software. The number of potential victims depends on the number of installations of the vulnerable software.

Recommendation

• Monitor process creations for Allok Video to DVD Burner and unusual child processes using the process creation rule below.
• Monitor for registry modifications performed by the vulnerable application that may indicate persistence.
• Due to the age of the application, consider whether it should continue to be used within the environment.

]]>highadvisorycvebuffer overflowseh overwritehttps://feed.craftedsignal.io/briefs/2026-04-r-buffer-overflow/Sun, 05 Apr 2026 21:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-r-buffer-overflow/R i386 version 3.5.0 is susceptible to a local buffer overflow in the GUI Preferences dialog, allowing a local attacker to overwrite the structured exception handler (SEH) by supplying a malicious string to the 'Language for menus and messages' field, leading to arbitrary code execution.R i386 version 3.5.0 contains a local buffer overflow vulnerability, identified as CVE-2019-25656, within the GUI Preferences dialog. This vulnerability allows a local attacker to achieve arbitrary code execution by exploiting a buffer overflow when the application processes user-supplied input in the ‘Language for menus and messages’ field. By crafting a malicious payload string, an attacker can overwrite the Structured Exception Handler (SEH) records. Successful exploitation would allow attackers to execute arbitrary code with the privileges of the user running the application. This poses a significant risk to systems running this vulnerable version of R, potentially leading to complete system compromise.

Attack Chain

1. Attacker gains local access to a Windows system running R i386 3.5.0.
2. Attacker opens the R application.
3. Attacker navigates to the GUI Preferences dialog within the R application.
4. Attacker identifies the ‘Language for menus and messages’ field within the GUI Preferences.
5. Attacker crafts a malicious payload string designed to overwrite SEH records, including shellcode for arbitrary code execution.
6. Attacker inputs the malicious string into the ‘Language for menus and messages’ field.
7. The R application attempts to process the attacker-supplied string without proper bounds checking, triggering the buffer overflow.
8. The crafted payload overwrites the SEH record, redirecting execution flow to the attacker-controlled shellcode, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the targeted system. The impact includes potential privilege escalation, allowing the attacker to perform actions with the same privileges as the user running the R application. This could lead to the installation of malware, data exfiltration, or complete system compromise. While specific victim numbers are not available, any system running the vulnerable R i386 3.5.0 is at risk.

Recommendation

• Upgrade R to a version higher than 3.5.0 to patch CVE-2019-25656.
• Deploy the Sigma rule to detect the execution of R with a modified command line containing long strings to identify potential exploit attempts.
• Monitor network connections originating from R processes for suspicious outbound traffic using network connection logs.
• Implement the Sigma rule to detect abnormal process execution originating from the R application to catch potential exploitation attempts.

]]>highadvisorybuffer-overflowseh-overwritecode-executioncve-2019-25656windowshttps://feed.craftedsignal.io/briefs/2026-03-base64-decoder-overflow/Tue, 24 Mar 2026 12:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-base64-decoder-overflow/Base64 Decoder 1.1.2 is vulnerable to a stack-based buffer overflow (CVE-2019-25634) allowing local attackers to achieve arbitrary code execution via a crafted input file that triggers an SEH overwrite.<p>Base64 Decoder version 1.1.2 is susceptible to a stack-based buffer overflow vulnerability, identified as CVE-2019-25634. This flaw enables a local attacker to execute arbitrary code on a vulnerable system. The vulnerability arises from insufficient bounds checking when processing input, allowing an attacker to overwrite critical parts of the stack. Successful exploitation requires the attacker to craft a malicious input file specifically designed to trigger the overflow. The impact of this…</p> highadvisorycve-2019-25634buffer-overflowseh-overwritecode-executionhttps://feed.craftedsignal.io/briefs/2026-03-dvdxplayer-bof/Mon, 23 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-dvdxplayer-bof/DVDXPlayer Pro 5.5 is vulnerable to a local buffer overflow, allowing local attackers to execute arbitrary code by crafting malicious playlist files.<p>DVDXPlayer Pro 5.5 is susceptible to a local buffer overflow vulnerability (CVE-2019-25604) that can be exploited by local attackers. This vulnerability allows for arbitrary code execution through the creation of specially crafted playlist files (.plf). The attack involves overflowing a buffer and hijacking the Structured Exception Handling (SEH) chain to execute attacker-controlled code within the context of the application. The vulnerability was reported in March 2026. Successful exploitation…</p> highadvisorybuffer-overflowseh-overwritecve-2019-25604dvdxplayer