Metasploit modules that can be used to exploit Oracle » JRE » 1.7.0 update17
-
Java storeImageArray() Invalid Array Indexing Vulnerability
Disclosure Date: 2013-08-12First seen: 2020-04-26exploit/multi/browser/java_storeimagearrayThis module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to cause a memory corruption and escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. Authors: - Unknown - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet ProviderSkeleton Insecure Invoke Method
Disclosure Date: 2013-06-18First seen: 2020-04-26exploit/multi/browser/java_jre17_provider_skeletonThis module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier. Authors: - Adam Gowdiak - Matthias Kaiser -
Java CMM Remote Code Execution
Disclosure Date: 2013-03-01First seen: 2020-04-26exploit/windows/browser/java_cmmThis module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet JMX Remote Code Execution
Disclosure Date: 2013-01-19First seen: 2020-04-26exploit/multi/browser/java_jre17_jmxbean_2This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user. Authors: - Unknown - Adam Gowdiak - SecurityObscurity - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet JMX Remote Code Execution
Disclosure Date: 2013-01-10First seen: 2020-04-26exploit/multi/browser/java_jre17_jmxbeanThis module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier. Authors: - Unknown - egypt <egypt@metasploit.com> - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet Driver Manager Privileged toString() Remote Code Execution
Disclosure Date: 2013-01-10First seen: 2020-04-26exploit/multi/browser/java_jre17_driver_managerThis module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass. Authors: - James Forshaw - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet Reflection Type Confusion Remote Code Execution
Disclosure Date: 2013-01-10First seen: 2020-04-26exploit/multi/browser/java_jre17_reflection_typesThis module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass. Authors: - Jeroen Frijters - juan vazquez <juan.vazquez@metasploit.com> -
Sun Java Web Start Double Quote Injection
Disclosure Date: 2012-10-16First seen: 2020-04-26exploit/windows/browser/java_ws_double_quoteThis module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be run as root on a server that does not serve SMB (In most cases, this means non-Windows hosts). Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively, a UNC path containing a jvm.dll can be specified, bypassing the Windows limitation for the Metasploit host. Authors: - Rh0 <rh0@z1p.biz> -
Java Applet JAX-WS Remote Code Execution
Disclosure Date: 2012-10-16First seen: 2020-04-26exploit/multi/browser/java_jre17_jaxwsThis module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet AverageRangeStatisticImpl Remote Code Execution
Disclosure Date: 2012-10-16First seen: 2020-04-26exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimplThis module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
Java Applet Method Handle Remote Code Execution
Disclosure Date: 2012-10-16First seen: 2020-04-26exploit/multi/browser/java_jre17_method_handleThis module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier. Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> -
Sun Java Web Start Plugin Command Line Argument Injection
Disclosure Date: 2012-02-14First seen: 2020-04-26exploit/windows/browser/java_ws_vmargsThis module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Authors: - jduck <jduck@metasploit.com> -
Java AtomicReferenceArray Type Violation Vulnerability
Disclosure Date: 2012-02-14First seen: 2020-04-26exploit/multi/browser/java_atomicreferencearrayThis module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations. Authors: - Jeroen Frijters - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> - egypt <egypt@metasploit.com> -
Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Disclosure Date: 2009-06-17First seen: 2020-04-26auxiliary/scanner/ssl/bleichenbacher_oracleSome TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present. Authors: - Hanno Böck - Juraj Somorovsky - Craig Young - Daniel Bleichenbacher - Adam Cammack <adam_cammack[AT]rapid7.com>
14 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details