-
Java Applet Field Bytecode Verifier Cache Remote Code Execution
Disclosure Date: 2012-06-06First seen: 2020-04-26exploit/multi/browser/java_verifier_field_accessThis module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. Authors: - Stefan Cornelius - mihi - littlelightlittlefire - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com> -
Java RMI Server Insecure Endpoint Code Execution Scanner
Disclosure Date: 2011-10-15First seen: 2020-04-26auxiliary/scanner/misc/java_rmi_serverDetect Java RMI endpoints Authors: - mihi - hdm <x@hdm.io> -
Java RMI Server Insecure Default Configuration Java Code Execution
Disclosure Date: 2011-10-15First seen: 2020-04-26exploit/multi/misc/java_rmi_serverThis module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication. Authors: - mihi -
Java Statement.invoke() Trusted Method Chain Privilege Escalation
Disclosure Date: 2010-03-31First seen: 2020-04-26exploit/multi/browser/java_trusted_chainThis module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com> -
Java MixerSequencer Object GM_Song Structure Handling Vulnerability
Disclosure Date: 2010-03-30First seen: 2020-04-26exploit/windows/browser/java_mixer_sequencerThis module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> -
Sun Java JRE getSoundbank file:// URI Buffer Overflow
Disclosure Date: 2009-11-04First seen: 2020-04-26exploit/multi/browser/java_getsoundbank_bofThis module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - kf <kf_list@digitalmunition.com> - jduck <jduck@metasploit.com> -
Sun Java JRE AWT setDiffICM Buffer Overflow
Disclosure Date: 2009-11-04First seen: 2020-04-26exploit/multi/browser/java_setdifficm_bofThis module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - jduck <jduck@metasploit.com> -
Sun Java Calendar Deserialization Privilege Escalation
Disclosure Date: 2008-12-03First seen: 2020-04-26exploit/multi/browser/java_calendar_deserializeThis module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected). Authors: - sf <stephen_fewer@harmonysecurity.com> - hdm <x@hdm.io>
8 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details