what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 2 of 2

Files from Federico Dotta

Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution

Posted Jan 28, 2018

Authored by Alexey Tyurin, Federico Dotta, Kevin Kirsche, Luffin | Site metasploit.com

The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.

tags | exploit, remote, code execution

advisories | CVE-2017-10271

SHA-256 | 4ec37da27b4c2bc377cee005689b9de7e837a03542a60ce1130758c857cb9228

Download | Favorite | View

Red Hat JBoss EAP 5.2.x Untrusted Data Deserialization

Posted Nov 24, 2016

Authored by Maurizio Agazzini, Federico Dotta

JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The communication employs serialized Java objects, encapsulated in HTTP requests and responses. The server deserializes these objects without checking the object type. This behavior can be exploited to cause a denial of service and potentially execute arbitrary code.

tags | exploit, java, web, denial of service, arbitrary, tcp

advisories | CVE-2016-7065

SHA-256 | 1402dee1010d43d2904c61bd152231b878698f6ba49611de5845ac70f3bc4052

Download | Favorite | View