Metasploit modules that can be used to exploit SUN » JRE » 1.5.0 update33
-
Java storeImageArray() Invalid Array Indexing Vulnerability
Disclosure Date: 2013-08-12First seen: 2020-04-26exploit/multi/browser/java_storeimagearrayThis module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> -
Java CMM Remote Code Execution
Disclosure Date: 2013-03-01First seen: 2020-04-26exploit/windows/browser/java_cmmThis module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
Java AtomicReferenceArray Type Violation Vulnerability
Disclosure Date: 2012-02-14First seen: 2020-04-26exploit/multi/browser/java_atomicreferencearrayThis module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. Authors: - Jeroen Frijters - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> - egypt <egypt@metasploit.com> -
Java RMI Server Insecure Endpoint Code Execution Scanner
Disclosure Date: 2011-10-15First seen: 2020-04-26auxiliary/scanner/misc/java_rmi_serverDetect Java RMI endpoints Authors: - mihi - hdm <x@hdm.io> -
Java RMI Server Insecure Default Configuration Java Code Execution
Disclosure Date: 2011-10-15First seen: 2020-04-26exploit/multi/misc/java_rmi_serverThis module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication. Authors: - mihi -
Java RMIConnectionImpl Deserialization Privilege Escalation
Disclosure Date: 2010-03-31First seen: 2020-04-26exploit/multi/browser/java_rmi_connection_implThis module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com> -
Java Statement.invoke() Trusted Method Chain Privilege Escalation
Disclosure Date: 2010-03-31First seen: 2020-04-26exploit/multi/browser/java_trusted_chainThis module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23. Authors: - Sami Koivu - Matthias Kaiser - egypt <egypt@metasploit.com> -
Java MixerSequencer Object GM_Song Structure Handling Vulnerability
Disclosure Date: 2010-03-30First seen: 2020-04-26exploit/windows/browser/java_mixer_sequencerThis module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates. Authors: - Peter Vreugdenhil - juan vazquez <juan.vazquez@metasploit.com> -
Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Disclosure Date: 2009-06-17First seen: 2020-04-26auxiliary/scanner/ssl/bleichenbacher_oracleSome TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present. Authors: - Hanno Böck - Juraj Somorovsky - Craig Young - Daniel Bleichenbacher - Adam Cammack <adam_cammack[AT]rapid7.com>
9 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details