• Java storeImageArray() Invalid Array Indexing Vulnerability
    Disclosure Date: 2013-08-12
    First seen: 2020-04-26
    exploit/multi/browser/java_storeimagearray
    This module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Java CMM Remote Code Execution
    Disclosure Date: 2013-03-01
    First seen: 2020-04-26
    exploit/windows/browser/java_cmm
    This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com>
  • Sun Java Web Start Double Quote Injection
    Disclosure Date: 2012-10-16
    First seen: 2020-04-26
    exploit/windows/browser/java_ws_double_quote
    This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be run as root on a server that does not serve SMB (In most cases, this means non-Windows hosts). Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively, a UNC path containing a jvm.dll can be specified, bypassing the Windows limitation for the Metasploit host. Authors: - Rh0 <rh0@z1p.biz>
  • Java AtomicReferenceArray Type Violation Vulnerability
    Disclosure Date: 2012-02-14
    First seen: 2020-04-26
    exploit/multi/browser/java_atomicreferencearray
    This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. Authors: - Jeroen Frijters - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> - egypt <egypt@metasploit.com>
  • Sun Java Web Start Plugin Command Line Argument Injection
    Disclosure Date: 2012-02-14
    First seen: 2020-04-26
    exploit/windows/browser/java_ws_vmargs
    This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Authors: - jduck <jduck@metasploit.com>
  • Java Applet Rhino Script Engine Remote Code Execution
    Disclosure Date: 2011-10-18
    First seen: 2020-04-26
    exploit/multi/browser/java_rhino
    This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc) Authors: - Michael Schierl - juan vazquez <juan.vazquez@metasploit.com> - Edward D. Teach <teach@consortium-of-pwners.net> - sinn3r <sinn3r@metasploit.com>
  • Java RMI Server Insecure Endpoint Code Execution Scanner
    Disclosure Date: 2011-10-15
    First seen: 2020-04-26
    auxiliary/scanner/misc/java_rmi_server
    Detect Java RMI endpoints Authors: - mihi - hdm <x@hdm.io>
  • Java RMI Server Insecure Default Configuration Java Code Execution
    Disclosure Date: 2011-10-15
    First seen: 2020-04-26
    exploit/multi/misc/java_rmi_server
    This module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication. Authors: - mihi
  • Sun Java Applet2ClassLoader Remote Code Execution
    Disclosure Date: 2011-02-15
    First seen: 2020-04-26
    exploit/windows/browser/java_codebase_trust
    This module exploits a vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A "codebase" parameter that points at a trusted directory 2. A "code" parameter that is a URL that does not contain any dots the applet will run outside of the sandbox. This vulnerability affects JRE prior to version 6 update 24. Authors: - Frederic Hoguin - jduck <jduck@metasploit.com>
  • Sun Java Web Start BasicServiceImpl Code Execution
    Disclosure Date: 2010-10-12
    First seen: 2020-04-26
    exploit/windows/browser/java_basicservice_impl
    This module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is "Downloading application." Authors: - Matthias Kaiser - egypt <egypt@metasploit.com>
  • Sun Java Runtime New Plugin docbase Buffer Overflow
    Disclosure Date: 2010-10-12
    First seen: 2020-04-26
    exploit/windows/browser/java_docbase_bof
    This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a "launchjnlp" parameter, it will copy the contents of the "docbase" parameter to a stack-buffer using the "sprintf" function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the "WideCharToMultiByte". Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks ('?'). This vulnerability was originally discovered independently by both Stephen Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't been done, all versions since version 6 Update 10 are believed to be affected by this vulnerability. This vulnerability was patched as part of the October 2010 Oracle Patch release. Authors: - jduck <jduck@metasploit.com>
  • Java Statement.invoke() Trusted Method Chain Privilege Escalation
    Disclosure Date: 2010-03-31
    First seen: 2020-04-26
    exploit/multi/browser/java_trusted_chain
    This module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com>
  • Java RMIConnectionImpl Deserialization Privilege Escalation
    Disclosure Date: 2010-03-31
    First seen: 2020-04-26
    exploit/multi/browser/java_rmi_connection_impl
    This module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com>
  • Java MixerSequencer Object GM_Song Structure Handling Vulnerability
    Disclosure Date: 2010-03-30
    First seen: 2020-04-26
    exploit/windows/browser/java_mixer_sequencer
    This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com>
  • Sun Java JRE getSoundbank file:// URI Buffer Overflow
    Disclosure Date: 2009-11-04
    First seen: 2020-04-26
    exploit/multi/browser/java_getsoundbank_bof
    This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - kf <kf_list@digitalmunition.com> - jduck <jduck@metasploit.com>
  • Sun Java JRE AWT setDiffICM Buffer Overflow
    Disclosure Date: 2009-11-04
    First seen: 2020-04-26
    exploit/multi/browser/java_setdifficm_bof
    This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. Authors: - jduck <jduck@metasploit.com>
  • Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
    Disclosure Date: 2009-06-17
    First seen: 2020-04-26
    auxiliary/scanner/ssl/bleichenbacher_oracle
    Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present. Authors: - Hanno Böck - Juraj Somorovsky - Craig Young - Daniel Bleichenbacher - Adam Cammack <adam_cammack[AT]rapid7.com>
17 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!