-
Java Statement.invoke() Trusted Method Chain Privilege Escalation
Disclosure Date: 2010-03-31First seen: 2020-04-26exploit/multi/browser/java_trusted_chainThis module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com> -
Java MixerSequencer Object GM_Song Structure Handling Vulnerability
Disclosure Date: 2010-03-30First seen: 2020-04-26exploit/windows/browser/java_mixer_sequencerThis module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> -
Sun Java JRE getSoundbank file:// URI Buffer Overflow
Disclosure Date: 2009-11-04First seen: 2020-04-26exploit/multi/browser/java_getsoundbank_bofThis module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - kf <kf_list@digitalmunition.com> - jduck <jduck@metasploit.com> -
Sun Java JRE AWT setDiffICM Buffer Overflow
Disclosure Date: 2009-11-04First seen: 2020-04-26exploit/multi/browser/java_setdifficm_bofThis module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - jduck <jduck@metasploit.com> -
Sun Java Calendar Deserialization Privilege Escalation
Disclosure Date: 2008-12-03First seen: 2020-04-26exploit/multi/browser/java_calendar_deserializeThis module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected). Authors: - sf <stephen_fewer@harmonysecurity.com> - hdm <x@hdm.io>
5 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details